May 14, 2015
Has Starbucks’ mobile app been hacked?
According to reports, hackers are finding a way to gain access to people’s Starbucks mobile accounts and triggering the auto-reload function, thereby giving them access to the users’ debit and credit card data.
A woman in Orlando, according to a CNBC report, noticed that $34.77 in value from her account had been transferred to another card. When the $25 reload kicked in, the criminals transferred it out of her account again. They then upped the reload rate to $75 and went back for more.
A man in Sugar Land, TX had a similar experience, according to CNN. After going to Starbucks he suddenly found himself getting alerts from PayPal notifying him that his card was continually being reloaded $50 at a time. He wound up getting 10 notices in a 10-minute period.
With 16 million customers using the Starbucks mobile app, concerns around the security of the card are clearly a major concern for the coffee chain. For its part, Starbucks maintains the app has not been hacked. Instead, the company claims that occasional reports from consumers such as those on CNBC and CNN are typically the result of hackers gaining access to their Starbucks card through other accounts that have the same user name and passwords.
Photo: Starbucks
Discussion Questions
Do reports of consumers having their mobile accounts hacked represent a serious problem for Starbucks? Has Starbucks response been adequate to address concerns raised by the reports?
Poll
BrainTrust
Ryan Mathews
Founder, CEO, Black Monk Consulting
Recent Discussions
More Discussions
Will an In-Store Retail Tech ‘Confidence Gap’ Create Winners and Losers?
A new survey suggests that in-store retail tech could be a major factor in retailer success…Walmart’s Next CEO Era: From McMillon to Furner
Walmart CEO Doug McMillon will soon be replaced by John Furner. What’s next for the retailer?Which Brands Are Missing the Boat on Advent Calendars?
Advent calendars appear to be trending upward in popularity, with potential to move to other holidays…
I don’t think the app has been hacked. Rather, resourceful hackers are using social engineering to guess passwords. So far the amounts aren’t huge and the companies involved are refunding victims. Regardless, this is a PR issue for Starbucks as their brand is front-and-center. It wouldn’t take much to add an alert or enforce better passwords.
Regardless of how they were able to hack consumers’ Starbucks cards, news of another hack has to make Starbucks management nervous. Consumers have been whipsawed from one hacking scandal to another. Starbucks should take steps to show how these incidents were anomalies and do not threaten their card infrastructure. Transparency will be vital to preserve public confidence in Starbucks cards.
Having mobile accounts hacked or accessed is always an issue for consumers. Whether this is considered hacking or not is not relevant from the consumer’s perspective. If someone can access a user’s account and money, consumers will be upset no matter what the process they use to do it is called. This kind of breach always damages the credibility of the company involved. As much as consumers are willing to admit that breaches happen, the company responsible for not protecting the consumer’s account loses trust and credibility.
Of course.
Any hack of a system —no matter how limited — is a serious problem for the retailer operating that system. The fact that one account has been hacked means that potentially all accounts are, at the very least, vulnerable.
As to Starbucks’ response, I’d give it a D-minus. Clearly every account holder who hears or reads about these breaches is going to be worried about the security of their own account. Saying, in effect, “Sure they were hacked, but it wasn’t really our fault,” doesn’t get you off the hook as a retailer, nor assure your customers that you take their digital security too seriously.
Starbucks would have been better advised to get ahead of the story, launch a full-blown investigation of its own and, even if it really wasn’t Starbucks’ fault, issue a detailed public report explaining why and how it was effectively protecting its customers’ accounts.
In this media-centric world, even the suspicion of digital compromise is enough to send customers running off to shut down their accounts.
Yikes! Starbucks should jump on this and reinforce passwords ASAP. The negative spin potential is very high. So is the opportunity for Starbucks to manage this as an industry leader. I’m interested in seeing how fast they could mobilize their “loyals” to take action. Would be a great case study if they could put a solution in place in a day!
Seriously? Starbucks’ system has been hacked. Maybe by a group of beginners because the numbers are low at this point. But the fact is the system has been hacked. I find it incredible that the hacker population is so brilliant at what they do that they can regularly beat major systems funded by millions of dollars to keep them protected. The hackers find their way in like termites eating through wood. If only there was a way to use this tremendous brainpower for betterment. But then how would they make the money they get from the “dark side?”
Everyone’s systems will eventually have a security problem. As you may recall, the “manual” hackers used to duplicate plastic credit cards as well from time to time and shop in stores with those forged cards. It just wasn’t possible to do this with millions of victims at a time.
A more interesting question is if there will ever be a backlash against the vulnerability of personal data/credit data such that people start refusing to allow secure information to be stored in the cloud and start to keep their personal data “personal.”
The good news for Starbucks is that sheep follow and rarely lead the way to anywhere. So I doubt if the falloff from what is left of their market share is going to be very serious. This news will just make it more difficult to renew and instill interest to the rest of the market.
The really bad news is that few consumers will accept at face value a message from the company that this is false or that all is well. The market is not at all happy with security issues in retail and it is getting less and less tolerable. The time to end the concerns is now and the means start with every retailer accepting the responsibility on their own part.