Cyber Incident Victim: Bulletproof Coffee
Date:
May 2017
Location:
United States of America
Summary
Bulletproof Coffee experienced a data breach involving unauthorized code inserted into its website checkout system, enabling the theft of customer information over multiple months. The compromised data included names, physical and email addresses, payment card numbers, expiration dates, and security codes. The company discovered the breach in mid-autumn, initiated an investigation with external security experts, and notified authorities. It offered reimbursement for documented fraudulent charges not covered by financial institutions and implemented measures to enhance website security. An apology was issued to affected customers for the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Bulletproof Coffee, known for its butter-infused coffee products, experienced a data breach compromising customer personal and financial information. The company discovered unauthorized computer code inserted into the software operating its website checkout page during mid-October 2017. This malicious code was active during two distinct periods: from 20 May through 13 October and again from 15 October through 19 October 2017. The compromised data included customers' full names, physical addresses, email addresses, payment card numbers, card expiration dates, and card security codes (CVV). Bulletproof 360 initiated an investigation with assistance from leading cybersecurity firms, confirming the code's capability to capture sensitive information entered during online transactions. The breach was disclosed to California authorities on 27 November 2017, though the company did not publicly specify the number of affected individuals.
Company founder and CEO Dave Asprey notified impacted customers via letter, emphasizing collaboration with security experts and law enforcement. Bulletproof advised customers to monitor payment card statements for unauthorized transactions and committed to reimbursing documented fraudulent charges that financial institutions declined to cover. The company stated it was implementing enhanced website security measures to prevent future incidents. No threat actor attribution or specific attack vector details were disclosed publicly. The breach exposed payment card data at heightened risk for fraud due to the theft of CVV codes, which are typically prohibited from storage under payment card industry standards.