Caribou Coffee chain announces card breach impacting 239 stores

Almost 40 percent of the company's coffee stores impacted by breach of its POS system.
Written by Catalin Cimpanu, Contributor

US coffee store chain Caribou Coffee announced a security breach today after it discovered unauthorized access of its point of sale (POS) systems.

The company listed 239 stores of its total 603 locations as impacted, which roughly amounts to 40 percent of all its sites.

All customers who used a credit or debit card at one of the affected stores between August 28, 2018, and December 3, 2018, should consider their card details compromised and take precautions such as asking for a card replacement, reviewing credit card reports, and enrolling in identity protection programs.

Users can consult the list of impacted stores via the company's data breach notice, posted on its homepage.

Caribou Coffee officials said they detected that something was wrong last month, on November 28, when its IT staff was alerted of "unusual activity" on its network via its security monitoring processes.

The company said it worked with experts from Mandiant, a cyber-security firm specialized in investigating data breaches. Two days later, Mandiant informed Caribou Coffee that it discovered unauthorized access of the company's POS system that also exposed some of the coffee store's customer data.

Caribou Coffee said that names, card numbers, expiration dates, and card security codes might have been exposed and collected by intruders.

Card payments made through the company's website were not affected, as this payment system is separate from in-store POS systems.

"At this time, we are confident that the breach has been contained," said Caribou Coffee officials. "We also are in regular communication with the credit card companies and will provide them with the information necessary to notify the banks that may have issued the affected payment cards."

The FBI is also on the case.

2018's worst cryptocurrency scams, cyberattacks (in pictures)

More data breach coverage:

Editorial standards