Cyber Incident Victim: Starbucks Singapore

On September 10, 2022, a threat actor advertised a database containing sensitive information of 219,675 Starbucks Singapore customers for sale on a hacking forum. The database included names, genders, dates of birth, mobile numbers, email addresses, and residential addresses. The forum owner known as "pompompurin" validated the authenticity of the sample data provided by the seller. Starbucks Singapore confirmed the breach through customer notifications and spokesperson statements, clarifying that only customers who used the Starbucks mobile app or online store were affected. The company operates 125 stores in Singapore, but the breach did not impact financial information or stored credit card data, as Starbucks does not retain such details. Account passwords, Rewards memberships, and stored credits were also not confirmed as compromised, though the company advised customers to reset passwords as a precaution.

The threat actor initially attempted to sell access to Starbucks Singapore’s compromised admin panel for $25,000, which would have allowed unauthorized changes to promotional codes and membership tiers. This access was later lost, leading the seller to focus exclusively on database sales. The hacker claimed to have sold one copy of the database for $3,500 and offered up to four additional copies to maintain scarcity and preserve its value for potential phishing, social engineering, or scamming campaigns. Starbucks Singapore collaborated with its licensed operator to investigate the breach and implemented existing fraud monitoring systems to detect unauthorized activity. In a September 17 update, the company reiterated its focus on protecting customer information and advised users to employ unique credentials across different platforms, particularly those storing financial data. The incident exposed affected customers to heightened risks of targeted attacks due to the circulation of their personal information.