The incident is a wake-up call for the members of loyalty schemes and mobile app services worldwide to segregate payment accounts
On 10 Sep 2022 a hacker by the ID of “Sedy” had posted the sale of data belonging to Starbucks users of Singapore on a hacking forum for US$3,500. A total of five copies of the data was available.
Only on 16 Sep did Starbucks management in the country inform affected customers of the data breach, adding that it had known about the incident since 13 Sep.
Some 330,000 customers (originally reported as 220,000+ by some websites) that had used the firm’s mobile app or customer loyalty program and online store had had their personally identifiable information (PII) stolen. Starbucks claimed that financial details such as credit card information are stored separately from the pilfered data, so affected customers did not have such data leaked.
The Chief Information Security Officer of Acronis, Kevin Reed, was quoted in the media advising the Singapore public to “scrutinize any correspondence received from strangers or organizations.” The breach could have been carried out via data scraping or due to poorly-secured data, said Reed.
The firm’s last known breach in Asia was in 2018, when the firm’s South Korea operations was fined US$9,000 for disclosing the personal details of 537 customers in a technical glitch within the mobile application. In that same year, according to a Wall Street Journal report, the firm had a team of 62 full-time employees in its global cybersecurity team, while a ComputerWeekly story mentioned how the coffee chain had automated cybersecurity for malware triage response and for mail hygiene.
In 2015, US customers of the coffee chain had their credit card details stolen and used in numerous big ticket transactions. One unfortunate customer in Orlando had lost US$34.77 in her member card’s stored value and then another $25 after the system did an automatic top-up when the balance hit $0!
According to Chris Thomas, Senior Security Advisor (APJ), ExtraHop: “The sophistication of threat actors means that companies need the right security processes in place for when an intrusion does happen if they want to catch attackers in their midgame, before the intrusion develops into a successful breach. Ensuring good protocol, network segmentation, and behavioral monitoring of the environment is crucial for organizations to protect themselves.”
Some Reddit users actually felt insulted that their PII was worth so little on the Dark Web, while others claimed to have had their “stars” and membership rewards had been wiped out. All Starbucks Singapore customers with data registered with the firm are advised to change their passwords, observe online payment safety hygiene practices, and be on the alert for unusual cyber activities.