To that email, Houlihan replied that he was acting in good faith, having come across the problem accidentally.
"I am not exaggerating when I say you have a massive sensitive data exposure issue," he said, "and I'd simply like you to be made aware of it so you can quickly resolve it."
Houlihan said he was particularly concerned because as a Panera customer, his data was among the exposed records.
In that exchange of emails in early August 2017, Gustavison eventually thanked Houlihan and said, "we are working on a resolution."
But when Houlihan checked to see if the website had been patched, the vulnerability persisted. After months passed, he acted this week, first by posting information about the breach online, and then by contacting security analysts, including writer Brian Krebs. After probing the vulnerabilities further, Krebs said on his website, he found that millions of customers' data was exposed.
"The data available in plain text from Panera's site appeared to include records for any customer who has signed up for an account to order food online via panerabread.com," Krebs wrote, adding that the huge company has more than 2,100 stores.
Panera collects customers' information online for everything from its awards and loyalty program to individual orders, delivery, and catering jobs.
Krebs and Houlihan are sharply criticizing Panera's handling of the issue, saying the company does not take web security seriously enough — and that it wasn't being honest when it said the breach was a) small and b) fixed. Both of the security experts said Panera wildly understated the problem when it told Fox Business Network on Monday night that "fewer than 10,000 consumers have been potentially affected" by the issue.
In contrast, Krebs wrote on his site that "incremental customer numbers indexed by the site suggest that number may be higher than seven million." But Krebs later updated the figure to include the findings of other researchers who found the same vulnerabilities in Panera's commercial division, stating, "the number of customer records exposed in this breach appears to exceed 37 million."
On the Fox channel, Panera's chief information officer, John Meister, said "Panera takes data security very seriously, and this issue is resolved."
After the Fox Business segment aired, Krebs tweeted to Panera Bread, "before making half-baked statements to the press to downplay the size of a breach, perhaps you should make sure the problem doesn't extend to all other parts of your business." — adding a link to another section of the company's site that he said remained at risk.
Krebs also highlighted the fact that prior to joining Panera in 2013, Gustavison was the senior director of security operations at Equifax — another company that has recently endured a huge security breach, and which has also been faulted for the way it handled the case (including tweeting links to a bogus website).
After the story broke, Krebs and Houlihan called for companies to review how they deal with such breaches.
"It's easy to bully Panera Bread for this, but in my opinion we need to take Panera Bread's actions as symptomatic of a much larger issue with security reporting and compliance," Houlihan wrote on Medium. "This is not a problem unique to any particular type of company. This has happened before and it will continue to happen."
Houlihan recommended changes, including a push to hold companies more accountable for breaches. And he urged any security personnel to make it easy to receive reports of vulnerabilities — and to act on them.
Just weeks before Houlihan sent his warning of a security flaw to Panera last summer, the coffee and bakery chain was finalizing its acquisition by Europe's mammoth JAB Holding Company, in a $7.5 billion-dollar deal.
JAB's other properties range from Krispy Kreme and Caribou Coffee to Einstein Bros Bagels and Keurig Green Mountain. We haven't seen any reports of similar security problems at those enterprises.