Breach Puts Attention on Loyalty Programs
By Rachel Siegel
The Washington Post
Panera Bread last week became the latest company hit by a data breach, acknowledging that customer information was vulnerable on its company website for at least eight months.
The records belonged to customers who had registered for the MyPanera program to order food online. The details exposed included their names, email and physical addresses, birthdays, and the last four digits of user credit card numbers, according to the security news site KrebsOnSecurity. Customers’ Panera loyalty card numbers were also exposed, KrebsOnSecurity reported, which scammers could potentially abuse to spend prepaid accounts.
On Tuesday, Panera estimated that fewer than 10,000 customers had been affected by the leak. KrebsOnSecurity put the number at closer to 37 million, though experts say the true number of compromised records may never be fully known. Panera did not return a request for comment, or for clarification on the nature of the data breach.
As with so many other data breaches, this one raises questions for consumers. In some respects, it’s grown ever more difficult to avoid e-commerce transactions. Many people now manage their personal banking on mobile apps. And consumers appreciate the convenience of ordering goods online. Every relationship and transaction raises the possibility of a data breach.
But loyalty programs, which promise perks and convenience in exchange for personal data, are another realm. And Panera’s breach makes one wonder: Is a free sandwich worth the hassle of having personal identifying information floating into the wrong hands?
Some experts say it’s a lost cause. That for all of the information consumers volunteer in exchange for meager benefits, refusing to set up online accounts at restaurants like Panera would ultimately do little to protect email addresses and birth dates.
“In the moment it seems like, ‘Well, I don’t want to make a 10 to 15 minute line at Panera. It’s so much more convenient to just drive up and pick it up,’” said Dalii Jiminez, a law professor at the University of California at Irvine. “That seems like a good trade-off, and in a way, I can’t say that it’s not.”
Some say the larger burden falls on companies and what they should be doing to responsibly handle that data.
Chris Hoofnagle, a professor of information and law at the University of California at Berkeley, said companies want access to personal information but are often unwilling to pay the price of ensuring its protection.
“Security is difficult and expensive, and no one wants to do it,” Hoofnagle said. “There’s the miracle of making it possible that you can order a sandwich [online]. That’s hard enough! And then people come along and say, ‘what about security?’”
Like Hoofnagle, Carrie Kerskie, an identity fraud expert at Hodges University, agreed that it’s near impossible to rein in personal data once it’s already online. But she said consumers can judge for themselves whether they want to volunteer other degrees of information - like personal preferences and habits - that could be manipulated by anyone down the line.
“The test that I use is if you’re doing anything online, view it from the perspective of, ’would I also put this on the billboard of a highway,” Kerskie said. “Because it’s pretty much the same thing.”
Consumers will decide for themselves at what cost they’re willing to volunteer personal information. And the feeling that our data are everywhere has made some people feel more cavalier about it.
Jimenez, the law professor, for one, sees no reason not to place a lunch order online.
“It’s rational to make that choice, to sign up for something like this. Because what can you do?” she said. “Your name and address are already out there. Give me that egg sandwich!”