The 284-store Teavana tea chain, owned by Starbucks (NASDAQ:SBUX), has been hit with a chainwide credit and debit card breach, apparently done through PINPad tampering, according to a report in the Krebs On Security blog. The story added that the breach coincided with a spike in people purchasing "high-dollar gift cards" at Target (NYSE:TGT), using cloned bogus payments cards that used the stolen card data.
"A source at a major U.S. credit card issuer confirmed that the card brand has seen fraud rates indicative of a breach emanating from virtually the entire Teavana franchise," the report said. "Separately, a federal law enforcement official who asked not to be named said agents were indeed investigating a possible breach at Teavana."
Starbucks, responding on behalf of Teavana, issued what is known in media circles as a non-denial denial. Starbucks said it "takes its obligation to protect customers' financial information very seriously," and that the company "has safeguards in place to constantly monitor for any suspicious activity. In the normal course of business, we are contacted by card brands and bank partners to participate in requests to ensure the integrity of all systems, and we participate fully in these requests. If and when issues are ever substantiated, we will take action to notify and support customers in the most appropriate way possible." Would Starbucks have said such a thing if they knew of no breach?
The Krebs report said the breach first became known in early March (2013) when the Target frauds started surfacing. "It went from like nothing to 200 counterfeits in one week," the source told Krebs. "The institution later found that nearly all of the counterfeit cards had previously been used at Teavana locations across the country, many as far back as late 2012. The source added that the thieves' ability to clone cards means that the attackers had almost certainly installed malicious software that extracts data stored on the card's magnetic stripe—most likely from point-of-sale devices when customers swipe their cards at the register."
At least it's reassuring to know that the code of criminals is still honored. Whenever card data is stolen from one chain, the resultant frauds are never redeemed at that chain. It's considered very bad manners, not to mention bad karma. But it's also very helpful to law enforcement, who triangulate the point of data theft and the point of redemption. The more locations impacted, the better the triangulation. More importantly, the more retailers who are pained by the breach, one can hope, the closer the day will be when chains start taking data security a lot more seriously.
- See the Krebs On Security story