American coffee company Starbucks has confirmed that cyber criminals have been hacking into its customers' rewards accounts in order to gain access to their bank accounts.
Starbuck's mobile payment app allows customers to pay for their order at checkout using their smartphones. The system can also be used to reload gift cards from Starbucks by drawing money electronically from the customer's bank account, credit card and even from their PayPal accounts.
According to reports, victims of the scam noticed that their Starbucks accounts were broken into and used to purchase gift cards from the coffee company worth hundreds of dollars. They believe these gift cards will then be sold on the black market.
One of the victims, Maria Nistri from Orlando, told consumer journalist Bob Sullivan that her app account had been hacked and the perpetrators changed its username and password. Nistri said the Starbucks account was then used to steal $34.77 worth of value she loaded into the app. The criminals gradually increased the amount of reloading from $25 to $75, which they proceeded to steal.
"It was crazy. I was like, what in the world?" she said. "I was lucky I happened to check my email when I did, otherwise who knows how much they would have gotten."
Jean Obando, another victim of the scam from Texas, said the cyber criminals charged his PayPal account a total of $550 in purchases of Starbucks gift cards. He informed Starbucks about the hacking and the coffee company conducted an investigation. Obando received a refund from Starbucks two weeks later after disputing the illegal transactions.
"Now, I just pay with my credit card or cash," Obando said. "I can't trust Starbucks with my payment information anymore."
In a recent interview, Starbucks said that the company itself had not been hacked into and it did not lose any data on its customers. The coffee company asserted that the string of illegal access of the rewards accounts was due to the weak passwords customers tend to use.
Starbucks recommended that customers should come up with unique combinations to create stronger passwords for their accounts.
While Starbucks did not confirm if it is going to implement new security features to its online system, the coffee company said it will provide reimbursements to its customers for any fraudulent charges.
Gavin Reid, an official from cybersecurity company Lancope, explained that other companies that offer online services follow a system of two-step authentication with their transactions to ensure the safety of customer data. In this system, users received a text message through their mobile phones to confirm that an access was made from a new device.
Reid said that this second layer of online security would have prevented the cyber criminals from accessing the Starbucks accounts.
Marco Paköeningrat | Flickr