Starbucks has disclosed a data breach that exposed the personal information of hundreds of employees after attackers gained unauthorized access to internal employee accounts.
In a filing with the Maine Attorney General, the coffee giant said it discovered the incident on February 6 and that 889 individuals were affected. The breach involved accounts tied to Starbucks Partner Central, the internal platform employees use to manage employment information, benefits, and HR-related services.
Starbucks operates nearly 41,000 stores across 88 countries and employs more than 380,000 workers worldwide, whom the company refers to as “partners.”
According to breach notification letters sent to affected employees and filed with regulators, the company launched an investigation with the help of external cybersecurity experts after identifying suspicious activity. The investigation determined that attackers had gained access to 889 Partner Central accounts.
These accounts contain sensitive employment and personal information, including HR data and benefits details. While Starbucks has not publicly disclosed exactly how the attackers gained access, reports indicate the breach was linked to compromised account credentials.
Cybersecurity experts say the incident reflects a growing trend in which attackers focus on stealing login credentials rather than directly breaching corporate systems.
Simon Pamplin, Chief Technology Officer at Certes, said the breach appears to follow a pattern increasingly seen across organizations.
“This incident follows a pattern that is becoming increasingly familiar,” Pamplin said. “The attackers did not breach Starbucks’ infrastructure directly. They obtained credentials through spoofed login pages and used legitimate access to reach sensitive employee data. Once inside an authenticated session, the controls designed to keep attackers out became largely irrelevant.”
According to Pamplin, the type of information exposed in the breach is particularly valuable to cybercriminals.
“The data exposed, including Social Security numbers, dates of birth and financial account details, represents a durable set of identifiers,” he said. “These are not credentials that can be reset with a password change. They retain value to criminal groups for years and can be combined with information from other breaches to enable fraud, identity theft and targeted social engineering long after the incident itself has faded.”
Pamplin also pointed to the potential impact of the time attackers may have had access to the accounts.
“The access window of approximately three weeks is also worth noting,” he said. “Extended dwell time increases the likelihood that data was systematically accessed and extracted rather than incidentally exposed.”
Starbucks has offered affected employees two years of credit monitoring and identity protection services. However, Pamplin noted that the risks tied to this type of personal information can extend well beyond that timeframe.
“Social Security numbers and financial identifiers do not expire, and the risk of misuse does not diminish on a fixed timeline,” he said.
He added that incidents driven by credential theft highlight the need for organizations to focus not only on perimeter defenses but also on protecting the data itself.
“Perimeter and identity defenses are a necessary foundation, but the resilience of an organization ultimately depends on whether the data itself is rendered unusable outside its authorized context.”
