Pizza chain caught without fully baked security

Papa John's has beefed up security for its Web-based e-mail system after the pizza chain learned that internal e-mail and customer data had been exposed.

The leak at the Louisville, Ky.-based pizza chain made internal corporate e-mail and thousands of customer comments available to anyone with a Web browser. The customer comments were submitted between Sept. 29 and Nov. 7 and included names, addresses, phone numbers and e-mail addresses of customers.

"It looks like there is no password protection on Papa John's internal Web e-mail system," said Richard Smith, an Internet privacy expert who reviewed the issue at the request of CNET News.com. "This sort of Web site privacy leak happens more than it should."

Papa John's on Monday added password protection to its Web-based e-mail system and the online customer suggestion database, after it was notified of the leak by CNET News.com. The company's action came hours after information exposing the system's insecurity was published to the popular Full Disclosure security mailing list.

"Today we learned that customer feedback over the last five weeks...could be viewed by a user who would have to enter a very specific, unpublished URL," said Chris Sternberg, a Papa John's spokesman.

"We're not certain that anybody has accessed this information," Sternberg said. "We don't think the ability to access this information breached our disclosure policy, but we don't want it accessed by anyone outside the Papa John's system, so we have taken steps to fix this."

The consumer information that was disclosed did not include credit card numbers or other sensitive data, which limits the risk of fraud, said James Van Dyke, principal analyst at Javelin Strategy & Research in Pleasanton, Calif.

"There is no reason to expect that this will lead to identity fraud, as the exposed information is not of the type used by financial companies to grant access to capital," he said. "In the most extreme case, a fraudster could call one of the listed individuals and pretend to be a Papa John's employee, asking for a credit card number or bank number."

While the Web-based system now requires a password, some of the information is still available in the cache of Google's search engine. For example, one internal Papa John's e-mail discusses the company's challenges in re-establishing itself in Mexico and Puerto Rico after the departure of a key employee.

[Roman12]

security

Just another case that proves that you can't really trust public hotspots with your personal information.:(
__________________________________
R.K.
<a class="jive-link-external" href="http://www.Remove-All-Spyware.com/" target="_newWindow">http://www.Remove-All-Spyware.com/</a>

[hodesworthe]

Get real, folks

If you don't already have an alias e-mail and you don't know enough to use a fake phone number, shame on you! The only info you'd get out of me is that my name is Hode Stevens (haha) and my e-mail account shows the same name. The only sites acceptable for real information are your bank, your school, and your place of business! Tighten Up!

[Johnny Mnemonic]

What if

Your place of business is Papa John's?

[Thunder Johny]

Tighten Up

<a class="jive-link-external" href="http://www.analogstereo.com/ford_f550_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/ford_f550_owners_manual.htm</a>

human resources...

thier delivery drivers could build a better computer network... no, there delivery drivers are too busy collecting donations for Jerry's kids... though Jerrys kids probably have it better off than any of Papa Johns drivers...

[Thunder Johny]

Papa Johns drivers

<a class="jive-link-external" href="http://www.analogstereo.com/skoda_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/skoda_owners_manual.htm</a>