While the numbers are small -- perhaps just a handful of users -- some Starbucks (NASDAQ:SBUX) mobile payment customers have been hacked.
The breaches, which were first reported by journalist and author Bob Sullivan, target people who use the auto-reload feature on the company's app-linked gift cards. Starbucks spokesperson Maggie Jantzen acknowledged the security breaches in a call with The Motley Fool, but said that they were not widespread, and that any specific problems brought to the company's attention were quickly resolved:
We have safeguards in place to constantly monitor for fraudulent activity and, like all major retailers, work closely with financial institutions to make sure our customers are protected.
The Starbucks incidents, which are the subject of a thread on Reddit, are not a major hack like the Target or Home Depot breaches, and they do not suggest the company has a security problem with its app. What they do show is that all companies and users have vulnerabilities.
What happened to the Starbucks customers
Starbucks' vulnerability is not a systemwide issue. Instead, it's caused by consumers having their usernames and passwords stolen, which allow the criminal to steal money through the company's auto-reload feature, which is linked to a credit card. Sullivan detailed one instance of the theft on his site:
Maria Nistri, 48, was a victim this week. Criminals stole the Orlando women's [sic] $34.77 in value she had loaded onto her Starbucks app, then another $25 after it was auto-loaded into her card because her balance hit 0. Then, the criminals upped the ante, changing her auto reload amount to $75, and stealing that amount, too. All within 7 minutes.
Once a hacker has access to a person's Starbucks account, he or she can move balances to an account they control and continue to do so when the account auto-reloads.
Essentially, any criminal who obtains username and password credentials to Starbucks.com can drain a consumer's stored value, and attack their linked credit card. Because the crime is so simple, can escalate quickly, and the consumer protections controlling the transaction are unclear, I recommend all Starbucks consumers immediately disable auto-reload on the Starbucks mobile payments and gift cards.
Safety recommendations from the coffee giant
While Starbucks does not go as far as telling consumers to disable the autoreload feature, Jantzen did suggest users of the app follow "several best practices to ensure their information is as protected as possible." She suggested strong passwords as one method to ensure security. She also pointed out that customers are not responsible for charges or transfers they did not make, and noted that balances on registered cards (or cards tied to the mobile app) are protected.
"If a customer sees unauthorized activity on their account, we encourage them to contact us immediately," she said.
Starbucks also issued a press release in which it specifically stated that news reports that said its app had been hacked were "false." The company did acknowledge that it sometimes "receives reports from customers of unauthorized activity on their online account."
This, the company wrote, is "primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks." To stop that from happening, the coffee chain recommends a number of best practices:
- Passwords: Creating passwords made up of long phrases or sentences that mix capital and lowercase letters, numbers, and symbols. Using different passwords for different sites, especially those that keep financial information. Changing passwords often.
- Lost or Stolen Device: If a customer believes his device has been lost or stolen, immediately change passwords for financial and personal accounts to prevent any identity theft or fraud.
- Stay Alert: Regularly review bank statements for suspicious activity. If something is in error, immediately report that to your financial institution.
These are sensible strategies for any app linked to a credit card, and they make sense for anyone who uses mobile payment.
What this means for businesses and consumers
The biggest threat here is that consumers lose faith in the safety of the Starbucks app. The coffee giant said in October 2014 that "roughly 16% of its U.S. sales now occur through a mobile device, with the company now handling about seven million mobile payments each week," GeekWire reported. It also controlled about 90% of all mobile payment transactions last year, according to the tech site.
Mobile payment is a key part of Starbucks' strategy, with things like ordering in advance via phone or tablet being tested and slowly rolled out around the country. The chain has succeeded in getting people to use its app well beyond any other retailer, and maintaining trust is key.
Consumers should be reassured that hackers are working on an individual basis, not on a broad, companywide one. Using the Starbucks app is safe, provided you follow the best practices listed above.
Starbucks has done well to get in front of this and stop it from becoming a crisis. For now, that should stop the panic and perhaps get more customers to be smart about their passwords and monitor their accounts more diligently.