• Skip to primary navigation
  • Skip to main content
site logo
  • About
    • Approach
    • Partnerships
    • Mission
    • Leadership
    • Awards
    • Arraya Cares
  • Solutions
    • Solutions

    • Hybrid Infrastructure
      • Hyperconverged
      • Infrastructure as a Service
      • Servers, Storage, and Virtualization
      • Data Protection
      • Disaster Recovery & Business Continuity
    • Apps & Data
      • AI
      • Automation
      • Customizations
      • Visualizations & Integrations
      • Migrations
    • Network
      • Enterprise Networks
      • Wireless Connectivity
      • Cloud Networking Solutions
      • IoT
    • Cybersecurity
      • Endpoint Security
      • Network Security
      • Cloud Security
      • Application Security
    • Modern Workplace
      • Microsoft Licensing
      • Productivity & Collaboration
      • Modern Endpoint Deployment & Management
      • Microsoft Compliance & Risk
      • Backup
      • Cloud
  • Services
    • Services

    • Managed Services
      • Service Desk
      • Outsourced IT
      • Managed Security
      • Managed NOC
      • Arraya Adaptive Management for Microsoft Technologies
      • ADEPT: Arraya's White Label Program
    • Advisory Services
      • Assessments
      • Strategy
      • vCTO
      • vCISO
      • Enterprise Architecture
    • Staffing
      • Infrastructure Engineering
      • Security & Compliance
      • Application & Software
    • Professional Services
      • Project Management 
      • Systems Integration 
      • Mergers & Acquisitions
      • Knowledge & Skills Transfer 
  • Industries
    • Education
    • Finance
    • Healthcare
    • Legal
    • Manufacturing
    • Software and Services
  • Insights
    • News
    • Blog
    • Events
    • Videos
    • Case studies
  • Careers
  • CSP Login
search icon
Contact Us

How Not to Respond to a Cyber Security Vulnerability

The worst way to find out about a cyber security problem is from somebody outside of your organization. We’re paraphrasing the words of Tom Clerici, Director of our Cyber Security Practice, who wrote something similar in a blog from early last year in which he stressed both the increasing inevitability of cyber attacks and the need for businesses to stay out in front of their attackers. Even though Yahoo was the breach du jour when that blog was posted, current events indicate many companies are still failing to properly gain, and act on, insights into what’s taking place on their networks and inside their data centers.

Case in point: Panera Bread. Panera is the latest company to have its name and logo splashed across headlines and cable news graphics for all the wrong reasons. Last year, a security researcher uncovered a major vulnerability with the company’s website – one that left an assortment of customer data – including names, saved addresses, and the last four digits of stored credit cards – plainly exposed. When confronted with evidence of the flaw, Panera did not exactly leap into action. After initially writing the researcher off as a scammer in disguise, the company eventually came around to the idea that something needed to be done. However, the vulnerability allegedly wasn’t corrected until, roughly eight months later, after the media got wind of the situation. Then, Panera pulled down its site, claimed the issue was fixed, realized it wasn’t and pulled it down again. The company’s site is back up, but discrepancies remain as to the scale of the initial issue. Panera claims only about 10,000 customer records were affected. The number being bandied about elsewhere is much higher: 37 million.

If there was a textbook example of how not to handle even a suspected cyber security problem, the Panera story may be it. The company had to rely on someone else to find the problem, it appeared slow to act, and there have been doubts about its ability to grasp the full scope of the situation. At least from the outside, Panera’s incident response plan seems to have left a lot to be desired. However, the company’s branding as something of a cyber security pariah may not be entirely justified. At least not when the overwhelming number of organizations who have found themselves in similar positions is taken into consideration.

Next Steps: Expect the best, be ready for the worst

Want to ensure your business is ready to swiftly and soundly respond to whatever cyber criminals have to offer? Join us at Davio’s Northern Italian Steakhouse in King of Prussia, PA on April 24 for Bourbon & Duct Tape: How NOT to Handle Security Incident Response. This multi-session event will provide executive-level, field-tested strategies on how to prepare for incidents and how to respond when one occurs. Leading the conversation will be two people with plenty of real world insight into what works and what doesn’t in cyber security: Sean Mason, Director of Cisco’s Incident Response Team and Tom Clerici, Arraya’s Cyber Security Practice Director.

Register for Bourbon & Duct Tape: How NOT to Handle Security Incident Response now by visiting: arraya.rocks/events. If you’d like to get a dialogue started with Arraya sooner, we can always be reached at: https://www.arrayasolutions.com//contact-us/. And, as always, feel free to leave us a comment on this or any of our blogs using social media. Arraya can be found on LinkedIn, Twitter, and Facebook. While you’re there, follow us so you can stay updated on all of our latest industry insights, unique educational opportunities, and more.

Arraya Insights
Back to Top
Arraya Solutions logo

We combine technological expertise and personal service to educate and empower our customers to solve their individual IT challenges.

518 Township Line Road
Suite 250, Blue Bell, PA 19422

p: (866) 229-6234     f: (610) 684-8655
e: info@arrayasolutions.com

  • Careers
  • Privacy Policy
  • Contact Us

© 2025 Arraya Solutions. All rights reserved.

Facebook Twitter YouTube LinkedIn
Manage Cookie Consent
We use cookies to enhance your experience. By selecting “Accept,” you agree to our cookie policy.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
View preferences
{title} {title} {title}