Starbucks and Neiman Marcus Also Hacked During The Holidays, When Will We Take Security Seriously?
Over the holidays, popular retailer Target admitted that it had been breached, with data of up to 40 million customers stolen. Weeks later, that number skyrocketed to 110 million. As we can now see, while it was Target that dominated the security headlines this past month, two other incidents seemingly flew under the radar, involving Starbucks and Neiman Marcus.
Between these two incidents, I can't even decide which one is worse - both companies involved should be hugely embarrassed. On the Neiman Marcus side, its servers had been compromised as far back as last July, with the company finally noticing the issue in December. That's right - it took a full five months for the company to recognize this gaping hole. The worst of it is, credit card numbers had been taken and used; this isn't one of those stories where we're talking about what could have happened.
Because of this breach, Neiman Marcus is required to answer 10 sets of questions from Florida's Attorney General Pam Bondi, after which we should learn more about what lacking security measures allowed such a breach to take place. While credit card numbers were apparently lifted over the time the systems were compromised, the company says that birth dates and social security numbers should be safe.
It doesn't seem that Starbucks' flaw led to customer data being compromised, but the issue is no less embarrassing. In effect, due to a flaw in its iOS app, Starbucks stored customer login information in plain text. Something like this wouldn't have been too surprising to learn of more than ten years ago, but in an age where even MD5 hashing is considered not enough, it's outright ridiculous.
Here's what's appalling: Starbucks just issued the update to correct this problem - a problem that we now find out it knew about since last May. Seriously. Starbucks might just be a coffee shop, but if a customer had cash in their account, anyone who gained access to this plain-text password could have enjoyed a Venti triple-shot Caramel Macchiato on their dime.
As I mentioned above, both of these incidents are mind-boggling, and the fact that they were allowed to happen shows the absolute disregard both companies have for their customer's security. For it to take five months for a breach to be discovered is ridiculous, and for a company to take more than half a year to patch a known issue might be just as ridiculous.
Across Target, Neiman Marcus, and Starbucks, that's three fatal flaws discovered in just the past month. When on earth are companies going to begin taking their customer security seriously? It's somewhat understandable if a breach occurs when good security measures are in place, but as evidenced by Neiman Marcus and Starbucks, ineptitude was the reason here, and that's inexcusable.