200,000 Singapore Starbucks customers' data leaked, info sold online for $3,500
Some 200,000 Singaporean Starbucks customers' data was found by The Straits Times to have been breached and put up for sale on an online forum since Sept 10.
The affected customers received an e-mail from the coffee chain on Friday notifying them of a data breach that compromised their personal information, including their names, home and e-mail addresses.
A spokesman for Starbucks Singapore said the coffee chain was made aware of the data breach only on Sept 13, adding that the customers affected were those who had accounts and had previously made a transaction via its app or online store.
In the e-mail seen by ST, customers were informed that their credit card data has not been compromised as Starbucks does not store that data.
Other details related to its customer loyalty programme, including stored values, rewards and credits, remain intact as well, it said.
"We have immediately taken reasonable steps to protect customer information. We are also fully cooperating with the authorities on the investigation," said the spokesman.
At press time, one copy of the database containing users' data has already been sold, with the price listed at $3,500.
Another four copies are being listed on offer.
Mr Kevin Reed, the chief information security officer of cyber-security firm Acronis, cautioned individuals affected to be on the lookout for potential phishing or scam attempts in the coming weeks.
"My advice to those who received the e-mail from Starbucks is that they should scrutinise any correspondence they receive from strangers or organisations," he said.
"They may use your personal information to appear trustworthy, and in some cases may even ask you to access one-time passwords."
Citing the SMS phishing scams last year that affected some 470 OCBC Bank customers who lost at least $8.5 million, Mr Reed said he expects scammers to make use of the stolen information in the same manner.
He said: "In many of the situations, people were addressed by their names, which made the messages seem credible."
He added that there was a possibility of the information being used to access other services as well.
Although Starbucks Singapore did not reveal how the breach happened, he said it could have been carried out in two ways.
The first involves data scraping, whereby scripts and tools are used to collect data.
Alternatively, he said the data may not have been secured properly.
"But now that the data is out, it's a little too late," he said.