Starbucks Singapore says customer data illegally accessed in data leak

F&B chain notifies members of its Rewards loyalty programme that customer details, including birthdates, residential addresses, and mobile numbers, have been illegally accessed and it is working with local authorities on the security incident.
Written by Eileen Yu, Senior Contributing Editor

Starbucks says personal data of some customers in Singapore has been compromised, including names, birthdates, and mobile numbers. While credit card details and passwords have not been leaked, it has advised customers to change their password.  

The US F&B chain sent email messages to multiple customers on Friday, notifying them that it had detected "unauthorised activity online" as well as "some unauthorised access to customer details". These included names, dates of birth, mobile numbers, and residential addresses, if the personal data had been provided to Starbucks.

It said details related to its Rewards customer loyalty programme, such as stored value and credits, were unaffected. Credit card data also had not been compromised since it did not store such information, according to Starbucks.  

The retailer said local authorities had been informed and it was assisting them on the investigation. It also noted that while passwords were not compromised, customers were encouraged to reset their password immediately. 

In its email to customers, Starbucks said it had implemented additional measures to safeguard customer information, but did not provide details on what these entailed. 

ZDNET understands that hackers already are peddling the data on an online forum that specialises in the trading of stolen databases. In a September 10 post, the hackers claimed to have access to Starbucks Singapore's "full database" containing more than 553,000 records and offered a sample dump. 

ZDNET reached out to Starbucks for more information, including the number of customers affected by the breach, which systems that were breached, security measures taken following the breach, and when the breach was first uncovered. 

In an email response, a spokesperson said the company was made aware of a data breach on Tuesday, September 13, that might affect customers who had registered an e-commerce account with the retailer and previously completed a transaction via the Starbucks in-app delivery or online store services. 

Customers affected by the breach had been notified via email, the spokesperson said. 

She noted that "reasonable steps" were immediately taken to protect customer data, but again did not specify what these were. She said the company, like all major retailers, had safeguards in place to "constantly monitor for fraudulent activity". 

"The security of our customers' information is critically important and we will continue to do what it takes to protect them," she said.

The Starbucks spokesperson did not address ZDNET's questions on the number of customers affected by the data leak or which systems were involved in the breach. 


Editorial standards