Starbucks says personal data of some customers in Singapore has been compromised, including names, birthdates, and mobile numbers. While credit card details and passwords have not been leaked, it has advised customers to change their password.
The US F&B chain sent email messages to multiple customers on Friday, notifying them that it had detected “unauthorised activity online” as well as “some unauthorised access to customer details”. These included names, dates of birth, mobile numbers, and residential addresses, if the personal data had been provided to Starbucks.
It said details related to its Rewards customer loyalty programme, such as stored value and credits, were unaffected. Credit card data also had not been compromised since it did not store such information, according to Starbucks.
The retailer said local authorities had been informed and it was assisting them on the security incident. While passwords were not compromised, the company urged its customers to reset their password immediately.
ZDNET understands that hackers already are peddling the data on an online forum that specialises in the trading of stolen databases. In a September 10 post, the hackers claimed to have access to Starbucks Singapore’s “full database” containing more than 553,000 records and offered a sample dump.
In its email, Starbucks said it had implemented additional measures to safeguard customer information, but did not provide details on what these entailed.
ZDNET has reached out to the US retailer for more information, including how many customers were affected by the breach, what systems were breached, and when the breach was first uncovered. This article will be updated if and when Starbucks responds.