Starbucks announces data breach
Nearly 900 people directly affected
Coffee chain Starbucks has disclosed a data breach that exposed hundreds of employees’ personal information.
In a filing with Maine’s Attorney General, the world’s largest coffee chain – which has 41,000 locations across 88 countries – says it discovered the breach on 6th February, and that it affected 889 people.
However, it also says the breach occurred from 19th January to 11th February – with no explanation as to why it took five days from discovery to remediation.
In the breach notification appended to the filing, Starbucks writes that it “became aware of potential unauthorised access to certain Starbucks Partner Central accounts.”
Starbucks Partner Central is a company portal employees (“partners”) can use to access resources like work schedules, pay slips, benefits information, training materials and company news.
Login credentials appear to have been compromised when employees tried to log in to malicious websites impersonating Partner Central.
“The investigation has determined that an unauthorised third party accessed certain Starbucks Partner Central accounts after obtaining the login credentials through websites impersonating Partner Central. Based on the types of information viewable within those accounts, some of your personal information may have been impacted.”
The information exposed “may” have included names, social security numbers, dates of birth, financial account and routing numbers.
Starbucks gives the normal spiel about notifying law enforcement and taking “further measures” to strengthen security controls. It is also providing affected individuals with two years of free identity theft protection and credit monitoring service through Experian IdentityWorks.
Starbucks suffered another data breach in 2022, though on a much larger scale: that one affected more than 200,000 customers.
And in 2024 it was caught up in the Blue Yonder supply chain attack, which also disrupted services at Sainsbury’s and Morrisons.