Skip to main content

Originally published January 16, 2014 at 4:41 PM | Page modified January 17, 2014 at 9:54 AM

  • Share:
  • Comments (2)
  • Print

Corrected version

Starbucks rolls out update for flawed iPhone app

Starbucks says it has released an update of its iPhone app, which leaves critical information potentially exposed to computer-savvy phone thieves. The company, which claims it had already beefed up data security, said the app was updated out of an “abundance of caution.”

Seattle Times business reporter

Most Popular Comments
Hide / Show comments
When can we expect the update for the flawed coffee? MORE
This is what happens when you throw software QA out the window in the rush to push... MORE


Starbucks said late Thursday it has rolled out an updated iOS mobile app after a security expert found a critical flaw that potentially exposed customer data to computer-savvy phone thieves.

Cybersecurity researcher Daniel Wood disclosed this week that Starbucks’ digital wallet app for the iPhone didn’t encrypt critical customer data — including email and password. That made it vulnerable to a hacker who physically gets ahold of someone’s i­Phone.

Starbucks chief information officer Curt Garner, in a letter to customers posted on the company’s website early Thursday, acknowledged that Wood’s report highlighted “theoretical vulnerabilities.”

He added that an update was being deployed out of “an abundance of caution” to add extra layers of protection to changes the company had already made to protect the data.

Starbucks won’t elaborate on those changes for security reasons.

Late Thursday a spokesman confirmed the updated app was live.

Wood, the cybersecurity expert, had said that the previous version of the app could potentially expose credit card data as the information logged in clear text contained a field for a credit card number. Starbucks says that credit card information has always been encrypted.

The company has said that the Android app doesn’t have the flaw.

Garner wrote that there’s no indication that anyone’s data has been compromised. He added that Starbucks customers who think their information may have been compromised to contact the company at 800-23-LATTE or

The flaw, which Starbucks says affected only the iOS application, comes in the midst of rising worries about retailers’ ability to safely handle customer data, including credit-card information. During the holiday season Target and Neiman Marcus suffered major cyberheists.

For Starbucks, data safety is critical, especially as an increasing number of customers rely on their smartphones to store their loyalty cards. Some 11 percent of U.S. transactions in the quarter ended in September were made using the mobile app.

Ángel González: 206-464-2250 or

Information in this article, originally published on January 16, 2014, was corrected on January 17, 2014. A previous version of this story said the old version of Starbucks’ iPhone app left credit card information unencrypted; Starbucks contends that credit card information and payment has always been encrypted .

News where, when and how you want it

Email Icon

Relive the magic

Relive the magic

Shop for unique souvenirs highlighting great sports moments in Seattle history.



The Seattle Times

The door is closed, but it's not locked.

Take a minute to subscribe and continue to enjoy The Seattle Times for as little as 99 cents a week.

Subscription options ►

Already a subscriber?

We've got good news for you. Unlimited content access is included with most subscriptions.

Subscriber login ►