Subway takes sandwiches seriously, not security

My recent post about Why Password Reminders Are A Bad Thing was written in response to Subway sending me my password in plain text via email. They take making your sandwich seriously, but apparently not their security.



My previous blog details why I believe the current security practices implemented by Subway are inadequate. The first possibility is that they are storing plain text passwords in their database along with my other details.  This would be a horrendous data breach should it ever be exposed, especially given the scope of their customer base. The second option is that they are using symmetric key encryption to recover an encrypted password to then send it via email. Sending a plain text password via a medium as insecure as email makes encrypting it in the database pretty pointless if you're sending it out in the wild without protection. Encrypt in transit, encrypt at rest.



After notifying Subway of my concerns I received a response that appeared to be from an actual human being which is nice but to my disappointment they explained:

"we will take any further precautions as legally necessary."

Whilst it's great to know that Subway are prepared to meet the minimum legal requirements for data protection, and make changes to do so if necessary, they are still just that, the minimum. If you actually want to take protecting your customer data seriously there are steps and measures that need to be taken beyond those outlined as a minimum legal requirement.



Imagine the same approach taken by car manufacturers with regards to your personal safety, as opposed to your data safety, in the event of a crash. Seat belts are a minimum legal requirement to protect occupants in the event of an accident but car manufacturers go much, much further. We have crumple zones, side impact protection system, ABS, airbags and much more. Now, the argument can be made that these features encourage consumers to purchase their products which is why manufacturers put so much investment in them. This may well be entirely true. Unfortunately there isn't yet the same level of understanding in the average internet user about the implications of someone not taking your online protection quite as seriously. Because a consumer either isn't aware of the lack of security or doesn't understand the implications of the lack of security it won't have an affect on their decision to purchase or use the product. Does this mean the company should simply skate along on 'minimum legal requirements' and worry about it when the users do?



Now a lot of people at this point may think that these failings are due to financial constraints. The company doesn't have enough money to implement more security as they can't afford to purchase more equipment etc... The truth is that on exactly the same equipment they have now you could implement a far more secure system. All it needs is a little time from the development team to change how they handle user data. Whilst this comes with a price tag, for a company the size of Subway, taking care of user data should be a top priority and it would be a relatively small fee to pay. This fee would be considered near insignificant if compared to the potential damage to the Subway brand if there ever was a data breach. If it was revealed they hadn't done all they reasonably could to protect the information in the first instance consumers, and possibly law enforcement, would be less than impressed.



I haven't yet reached the conclusion of this story as my contact with Subway is still ongoing. I have reported my findings to the ICO to ensure that no laws have been broken but am hoping that Subway will voluntarily bring their security practices from a legal minimum level to a 'we really do care about our user data' level. Subway, it really is a 'no brainer'.

Read the email HERE.


Short URL:

Author image
About Scott
Researcher, blogger and international speaker. I'm the creator of and, free tools to help improve online security.