Tag Archives: Brian Krebs

Breach Brief – Panera Bread, Saks Fifth Avenue, Orbitz

Panera, a popular bakery-cafe has admitted its website was leaking a data. According to Brian Krebs of KrebsOnSecurity.com Panera allegedly failed to fix issues with its website it knew about for nearly eight months. Panera Bread has  has over 2,100 outlets nationwide. 

Cyber security researcher Dylan Houlihan notified the company of a data leak in early August 2017. Mike Gustavison, Panera director of information security was informed of the flaw and said the company “working on a resolution.” Despite this statement the flaw was not repaired. 

Data records that leaked out contain the names, email and physical addresses, birth dates and the last four digits of the credit card numbers of Panera customers. 

Only after Krebs spoke directly with Panera chief information officer John Meister was the site shut down briefly and the data secured.  The number of customers whose data may have been compromised is estimated at 37 million.

A statement from Panera Bread said; “Panera takes data security very seriously and this issue is resolved. Following reports today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved.”

The company urges its customers to alert for any fraudulent activity in the bank or credit accounts.

Saks Fifth Avenue/Lord & Taylor

Saks Fifth Avenue and Lord & Taylor reported a data breach affecting millions of its customers.

According to the company “a well-known ring of cybercriminals” had stolen more than 5 million credit and debit card numbers from customers. According to the New York Times the cyber criminals were able to pull off this massive heist by implanting software into the cash register systems.

Although it is early in the investigation the the hack appears to have only affected card numbers and not social security or driver’s license numbers.

The majority of the affected credit cards appear to have been used at Saks and Lord & Taylor stores between May 2017 and March 2018 and only in the New York-New Jersey areas stores. 

Both Saks 5th Ave. and Lord & Taylor are owned by the Canadian company Hudson’s Bay. The company issued the following statement;“We have become aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores in North America. We have identified the issue, and have taken steps to contain it. Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring.”

Orbitz

The popular travel booking site Orbitz announced that its legacy site, Amextravel.com, was compromised due to a data breach.  Data of  880,000 customers was compromised from January 1, 2016 through December 22, 2017.

According to the company credit or debit card information was stolen along with personal information that includes the customer’s full name, date of birth, phone number, email address, physical and/or billing address and gender.  

Orbitz plans to notify all customers who’s information may have been compromised and  is providing potential victims a free year of credit monitoring services. Customers can contact Orbitz for the free service either online or by calling 855-828-3959 toll-free. 

 

Breach Brief – Sonic Drive-In

Sonic fast food chain is the latest victim of a major data breach. Sonic, which has 3,600 locations across the country, confirmed they are investigating unusual payment card activity after being informed by their credit card processor last week. The breach could affect as many as five million card holders.

The breach was first reported by Brian Krebs of KrebsOnSecurity.com.  Krebs stated the breach was revealed by a pattern of of fraudulent transactions on cards used at one of the chain’s restaurants. 

Krebs claims he was tipped off by sources from multiple financial institutions. From his post Krebs related that, “Those cards were then found to be part of a cache of five million credit and debit card accounts that were first put up for sale in mid-September on a dark web site called Joker’s Stash, all indexed by city, state and Zip code. “They’re going at a premium, too: between $25 and $50 per card.” Krebs reported that the cards first showed up for sale on September 18th.

Sonic’s Vice President of public relations Christi Woodworth told Krebs that the investigation hasn’t yet uncovered how many cards or which of its stores may be impacted. Woodworth went on to say that the company “…immediately engaged third-party forensic experts and law enforcement when we heard from our processor. While law enforcement limits the information we can share, we will communicate additional information as we are able.”

Recent patrons of the fast food chain should monitor their credit and debit accounts suspicious activity.