Starbucks rolls out update for flawed iPhone app
Starbucks says it has released an update of its iPhone app, which leaves critical information potentially exposed to computer-savvy phone thieves. The company, which claims it had already beefed up data security, said the app was updated out of an “abundance of caution.”
Seattle Times business reporter
Starbucks said late Thursday it has rolled out an updated iOS mobile app after a security expert found a critical flaw that potentially exposed customer data to computer-savvy phone thieves.
Cybersecurity researcher Daniel Wood disclosed this week that Starbucks’ digital wallet app for the iPhone didn’t encrypt critical customer data — including email and password. That made it vulnerable to a hacker who physically gets ahold of someone’s iPhone.
Starbucks chief information officer Curt Garner, in a letter to customers posted on the company’s website early Thursday, acknowledged that Wood’s report highlighted “theoretical vulnerabilities.”
He added that an update was being deployed out of “an abundance of caution” to add extra layers of protection to changes the company had already made to protect the data.
Starbucks won’t elaborate on those changes for security reasons.
Late Thursday a spokesman confirmed the updated app was live.
Wood, the cybersecurity expert, had said that the previous version of the app could potentially expose credit card data as the information logged in clear text contained a field for a credit card number. Starbucks says that credit card information has always been encrypted.
The company has said that the Android app doesn’t have the flaw.
Garner wrote that there’s no indication that anyone’s data has been compromised. He added that Starbucks customers who think their information may have been compromised to contact the company at 800-23-LATTE or www.starbucks.com/customer.
The flaw, which Starbucks says affected only the iOS application, comes in the midst of rising worries about retailers’ ability to safely handle customer data, including credit-card information. During the holiday season Target and Neiman Marcus suffered major cyberheists.
For Starbucks, data safety is critical, especially as an increasing number of customers rely on their smartphones to store their loyalty cards. Some 11 percent of U.S. transactions in the quarter ended in September were made using the mobile app.
Ángel González: 206-464-2250 or firstname.lastname@example.org.
Information in this article, originally published on January 16, 2014, was corrected on January 17, 2014. A previous version of this story said the old version of Starbucks’ iPhone app left credit card information unencrypted; Starbucks contends that credit card information and payment has always been encrypted .