[ISN] Pizza chain caught without fully baked security

InfoSec News isn at c4i.org
Tue Nov 8 03:17:13 EST 2005 

http://news.com.com/Pizza+chain+caught+without+fully+baked+security/2100-7349_3-5938572.html

By Joris Evers 
Staff Writer, CNET News.com
November 7, 2005

Papa John's has beefed up security for its Web-based e-mail system 
after the pizza chain learned that internal e-mail and customer data 
had been exposed. 

The leak at the Louisville, Ky.-based pizza chain made internal 
corporate e-mail and thousands of customer comments available to 
anyone with a Web browser. The customer comments were submitted 
between Sept. 29 and Nov. 7 and included names, addresses, phone 
numbers and e-mail addresses of customers. 

"It looks like there is no password protection on Papa John's internal 
Web e-mail system," said Richard Smith, an Internet privacy expert who 
reviewed the issue at the request of CNET News.com. "This sort of Web 
site privacy leak happens more than it should." 

Papa John's [1] on Monday added password protection to its Web-based 
e-mail system and the online customer suggestion database, after it 
was notified of the leak by CNET News.com. The company's action came 
hours after information exposing the system's insecurity was published 
to the popular Full Disclosure security mailing list [2]. 

"Today we learned that customer feedback over the last five 
weeks...could be viewed by a user who would have to enter a very 
specific, unpublished URL," said Chris Sternberg, a Papa John's 
spokesman. 

"We're not certain that anybody has accessed this information," 
Sternberg said. "We don't think the ability to access this information 
breached our disclosure policy, but we don't want it accessed by 
anyone outside the Papa John's system, so we have taken steps to fix 
this." 
 
The consumer information that was disclosed did not include credit
card numbers or other sensitive data, which limits the risk of fraud,
said James Van Dyke, principal analyst at Javelin Strategy & Research
in Pleasanton, Calif.

"There is no reason to expect that this will lead to identity fraud,
as the exposed information is not of the type used by financial
companies to grant access to capital," he said. "In the most extreme
case, a fraudster could call one of the listed individuals and pretend
to be a Papa John's employee, asking for a credit card number or bank
number."

While the Web-based system now requires a password, some of the
information is still available in the cache of Google's search engine.  
For example, one internal Papa John's e-mail discusses the company's
challenges in re-establishing itself in Mexico and Puerto Rico after
the departure of a key employee.

[1] http://www.papajohns.com/
[2] http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0156.html

More information about the ISN mailing list