330,000 S'pore Starbucks customers' data leaked, info sold online for $3,500

The data breach compromised Starbucks customers' personal information, including their names, home and e-mail addresses. PHOTO: ST FILE

SINGAPORE - Some 330,000 Singaporean Starbucks customers' data were found by The Straits Times to have been breached and put up for sale on an online forum since Sept 10.

The affected customers received an e-mail from the coffee chain on Friday notifying them of a data breach that compromised their personal information, including their names, home and e-mail addresses.

When asked if its database was hacked, a spokesman for Starbucks Singapore said the coffee chain was made aware of the data breach only on Sept 13, adding that the customers affected were those who had accounts and had previously made a transaction via its app or online store.

In the e-mail seen by ST, customers were informed that their credit card data has not been compromised as Starbucks does not store that data.

Other details related to its customer loyalty programme, including stored values, rewards and credits, remain intact as well, it said.

"We have immediately taken reasonable steps to protect customer information. We are also fully cooperating with the authorities in the investigation," said the spokesman.

Responding to ST queries, a spokesman for the Personal Data Protection Commission said it has been notified about the incident.

“We are investigating and have reached out to Starbucks for more information,” he said.

At press time, one copy of the database containing users' data has already been sold, with the price listed at $3,500.

Another four copies are being listed on offer.

Mr Kevin Reed, the chief information security officer of cyber-security firm Acronis, cautioned individuals affected to be on the lookout for phishing or scam attempts in the coming weeks.

"My advice to those who received the e-mail from Starbucks is that they should scrutinise any correspondence they receive from strangers or organisations.

"They may use your personal information to appear trustworthy, and in some cases may even ask you to access one-time passwords," he said.

The online forum where the data of more than 200,000 Starbucks customers is currently being sold. ST PHOTO: AQIL HAMZAH

Citing the SMS phishing scams last year that affected almost 470 OCBC Bank customers who lost at least $8.5 million, Mr Reed said he expects scammers to make use of the stolen information in the same manner.

He said: "In many of the situations, people were addressed by their names, which made the messages seem credible."

He added that there was a possibility of the information being used to access other services as well.

And although Starbucks Singapore did not reveal how the breach happened, he said it could have been carried out in two ways.

The first involves data scraping, whereby scripts and tools are used to collect data.

Alternatively, he said the data may not have been secured properly.

"But now that the data is out, it's a little too late."

Correction note: An earlier version of this report said the data of about 200,000 Starbucks customers was breached. The Straits Times has been able to verify that the number of people involved in the data breach is closer to 330,000.

Join ST's WhatsApp Channel and get the latest news and must-reads.