Weekly podcast: Panera Bread, Grindr and MyFitnessPal

This week, we discuss responses to data breaches at Panera Bread, Grindr and Under Armour’s MyFitnessPal

Hello and welcome to the IT Governance podcast for Friday, 6 April 2018. This week we’re going to concentrate on data breaches and incident response management.

The security researcher Dylan Houlihan reports that the US bakery-café chain Panera Bread leaked customer information in plaintext – including “the full name, home address, email address, food/dietary preferences, username, phone number, birthday and last four digits of a saved credit card” of “any user that had ever signed up for an account” – for some eight months despite acknowledging that the vulnerability existed and claiming to be working to fix the issue.

According to Houlihan, he first reported the issue to Panera Bread’s director of information security, Mike Gustavison, in August 2017. After initial hostility, Gustavison said that Panera Bread was “working on a resolution”.

Having waited eight months for Panera to fix the flaw, Houlihan decided to publish it. He created a Pastebin page detailing the vulnerability, and emailed Brian Krebs, who took up the story earlier this week. Perhaps because of his higher profile, Mr Krebs had better luck: he managed to speak to Panera’s chief information officer John Meister, and shortly afterwards the company briefly took its website offline, claiming to have fixed the issue.

Mr Krebs wrote: “It is not clear yet exactly how many Panera customer records may have been exposed by the company’s leaky Web site, but […] that number may be higher than seven million.”

In an update to his blog published later that day, Krebs reports that, minutes after he had published his story, “Panera gave a statement to Fox News downplaying the severity of this breach, stating that only 10,000 customer records were exposed.”

According to Krebs, however, not only had Panera actually failed to fix the bug, it was also present in Panera’s commercial division, “which serves countless catering companies”. So, rather than 10,000 or even 7 million users being affected, the actual number of victims was closer to 37 million. As of the time of recording, panerabread.com is offline again.

Panera Bread isn’t the only organisation to have come under fire this week. The gay hookup app Grindr has been widely criticised for sharing its users’ personal information, including their HIV status, with third-party organisations. According to BuzzFeed News, which reported the story on Monday 2 April, the two companies, Apptimize and Localytics, “receive some of the information that Grindr users choose to include in their profiles, including their HIV status and ‘last tested date’” as well as their GPS data, phone ID and email.

Grindr’s chief technology officer Scott Chen said: “Apptimize and Localytics are two highly-regarded software vendors which help us improve the experience for our users. They take our users’ privacy seriously, and so do we. […] Grindr has never sold, nor will we ever sell, personal user information – especially information regarding HIV status or last test date – to third parties or advertisers.”

However, many have complained that it’s not a matter of whether the sensitive data was sold, but the fact it was exchanged with a third party at all. Writing in the Guardian, Bryan Moylan called Chen’s response “tone-deaf”, and James Krellenstein, a member of AIDS advocacy group ACT UP New York, told BuzzFeed News: “To […] have that data shared with third parties that you weren’t explicitly notified about, and having that possibly threaten your health or safety — that is an extremely, extremely egregious breach of basic standards that we wouldn’t expect from a company that likes to brand itself as a supporter of the queer community.”

Grindr’s chief security officer Bryce Case protested that people’s fears were based on a misunderstanding of technology and that Grindr was being wrongly compared to Cambridge Analytica. “It’s conflating an issue and trying to put us in the same camp where we really don’t belong,” he said.

Later the same day, however, the company, which has 3.6 million active daily users, said it would stop sharing users’ information with third parties when the app was next updated.

Nevertheless, the Norwegian Consumer Council filed a privacy complaint against Grindr on Tuesday for breaching data protection law. TechCrunch reports that Finn Myrstad, the director of digital services at the Council, said: “Information about sexual orientation and health status is regarded as sensitive personal data according to European law, and has to be treated with great care. In our opinion, Grindr fails to do so.”

On the subject of app security, personal information relating to approximately 150 million users of the MyFitnessPal nutrition app – which is owned by the popular fitness brand Under Armour – has been compromised in a data breach.

According to Under Armour, it discovered on 25 March that “an unauthorized party [had] acquired data associated with MyFitnessPal user accounts” in February. Affected information included usernames, email addresses and passwords – the majority of which were hashed with bcrypt. (Other information was protected with SHA-1.) Users are advised to change their passwords on all accounts that used the same login credentials.

The date Under Armour published its notice? 29 March – four days after discovering the breach. Bit better than Panera’s eight months, eh?

At 150 million breached accounts, this is the largest breach of the year. I bet it won’t hold that record for long…

The lesson to be learned from all of these incidents is that, in the wake of the Facebook/Cambridge Analytica incident, and with the GDPR less than two months away, how you respond to a data breach really matters.

Check out our website for more information about cyber incident response management.

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog.

Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.