Starbucks found itself embroiled in a controversy this week after a surprising revelation by a security researcher claiming that the worlds largest coffeehouse company has been storing their users email addresses, usernames and passwords in clear text. Starbucks executives confirmed the same on Tuesday, January 14th. A security researcher named Daniel Wood from Minneapolis, Minn first found out about this loophole, and the news was first reported by Computerworld. The researcher published some of his research on the security community as well a day prior to when it was published on Computerworld.
Starbucks mobile app is currently available on iOS and Android. It is also one of the most widely used mobile payment app in the US. No jailbreaking the device is required. Anyone with access to the phone can see the username and password by connecting the phone to the PC. And if that information isn’t enough for the thief, the list of geolocation points where the phone user had been is also available in clear text.
[su_quote cite=”Adam Brotman (Starbucks CDO)”]We were aware. That was not something that was news to us.[/su_quote]
Even more surprising is the fact that the neither Starbucks Chief Information Officer Curt Garner or Chief Digital Officer Adam Brotman were surprised with this news when confronted, they said they were already aware of the this issue and it was “not news” to them. Earlier, they issued a statement saying, “we have security measures in place now related to that,” and their customers’, “usernames and passwords are safe” as they have added, “extra layers of security” without elaborating as to what exactly those security measures are.
However, they have now finally come around and promised to increase the security measures. Curt Garner posted an update on Starbucks blog saying they have rolled out an update for the mobile app on iOS to address the issue, “which adds extra layers of protection“. Garner said they are unable to share the technical details of these security measures “To protect the integrity“. Nevertheless, he assures the customer’s that “they sufficiently address the concerns raised in the research report“. He emphasized on the fact that this vulnerability has not affected any of the users so far and none of the information has been compromised. They are also “working to accelerate the deployment” on another update of the iOS app which will add extra layers of protection, once again, no details on how it plans to do so.
Initially, Starbucks downplayed the whole security scenario when Evan Schuman of Computerworld explained in detail as to how a thief could steal the user data and password, Garner said, “What you’ve described is fair, at a high level. From a design perspective, this could have potentially happened.”
In the light of recent events where the hackers have repeatedly targeted high profile companies such are Microsoft, Neiman Marcus and Target where the forensic investigations are still underway; its no surprise that the security researchers are appalled at Starbucks’ security measures and more so after their initial reactions on it. Starbucks expects the users will feel safer now that they have rolled out an update, and they will hopefully provide us more details after the next update which will provide users with “extra layers of security“.