The data belongs to customers who registered for the MyPanera program in order to pre-order food online and pick-up later. The fact that the breach is through a loyalty program, opens up another conversation about whether loyalty information that customers are opting to give is being well protected.
The data breach was first announced by Krebs On Security and the shocking information that’s revealed include the breach being known by Panera for at least 8 months. Management was notified, but little action seemed to have been taken against the breach. Krebs describes the data as being available in plain text and appears to include records from customers signing up for the online program via panerabread.com.
Current allocations are pointing the cause of the breach towards a security flaw on the main Panera Bread website. Krebs’s estimates millions of customer data was exposed. Breached information includes names, email and physical addresses, birthdays, and the last four digits of credit card numbers. Panera Bread claims thousands. Details on this will become more transparent as the story unfolds.
Other security analysis and writers are choosing to focus on the vulnerability of loyalty programs and data security. This is a justifiable focus, and it needs to be addressed. However, we’d like to add to the conversation by stating the importance of data breach lag time.
Data Breach Lag Time
When companies witness a data breach, typically they wait months to disclose and announce. The time from discovering to announcement can have a significant impact on dollar and reputation cost. According to the research firm Gartner, the average lag time before a breach is detected is 205 days.
The reason a data breach goes unannounced can be attributed to many reasons. First, attempting to stay on top of security challenges can be costly and time consuming. If the company isn’t approaching the situation proactively, data breach detection can fall through the cracks. Another reason, once a hacker is in the system they want to be undetectable. They’ll do what’s in their power to remain so, because the longer they stay undetectable, the longer they can exploit data.
These are good reasons; however, a non monetary cost that companies usually forget is tainted brand reputation. Longer lag time and when a company ‘covers up’ a breach, this can lead to customer mistrust and customers leaving the company.
As this data breach story continues to unfold, we will post updates at our Twitter account.