In August 2017, …reported a vulnerability to Panera Bread that allowed the full name, home address, email address, food/dietary preferences, username, phone number, birthday and last four digits of a saved credit card to be accessed in bulk for any user that had ever signed up for an account. This includes my own personal data! Despite an explicit acknowledgement of the issue and a promise to fix it, Panera Bread sat on the vulnerability and, as far as I can tell, did nothing about it for eight months.
This is why it’s important to take seriously any emails coming in that report a vulnerability on your website or web app; especially when related to data breaches. It’s important to prioritize this kind of work too, in 2018 you cannot sit idly while a data breach threat looms over the entire organization. With the Equifax data breach, maybe we’ll start to see shareholders and customers take their data more seriously and start filing lawsuits about the immense risk that organizations are not preparing for.