The Panera Bread incident is a classic example of how to NOT handle a security breach, and there are definitely lessons other companies can learn from Panera Bread’s catalogue of mistakes.
However, I was disappointed to see so many wise security owls, on social media or their personal blogs, hooting over the fact that one of the Panera Bread security staff involved in the story used to work at Equifax.
Yes, that Equifax. The one which was revealed to have been hacked last year, putting the details of hundreds of millions of consumers at risk.
It’s pretty ugly to beat up a particular named individual (I’ve redacted his name above) because a company he used to work at had a serious security breach four years later.
In fact, I feel it’s pretty lousy to race to blame Panera Bread’s IT security team at all.
Are we really sure of the facts? Can we say with confidence that it’s them who are ultimately to blame for the hapless response to a serious security failing?
Or might there be some fault higher up in the company, which may not have given the IT security team the resources and wherewithal to determine where their efforts are best placed and fix what is so clearly broken?
All I’m saying is this: It’s not always easy to be the guy responsible for securing a company, but it’s pretty simple to pillory someone without knowing all the facts.
To hear further discussion of the Panera Bread security breach, check out this episode of the “Smashing Security” podcast.