Starbucks (NASDAQ: SBUX) is the most recent company to confess to a security scare, and has released an updated version of its iOS app in response to reported security issues that could disclose sensitive customer information.
The feature in question is a log file generated by crash reporting analytics firm Crashlytics that stores personal information in plain text. The log file can be retrieved from a user's handset even if the phone is locked with a PIN and contains unencrypted versions of the customer's username, email address, and password. Starbucks executives acknowledged the vulnerability, said that no customers had claimed to have been hacked as a result and that they have made changes to mitigate the danger.
" We take these types of concerns seriously and have added several safeguards to protect the information you share with us," Starbucks wrote in a statement. "To protect the integrity of these added measures, we are unable to share technical details but can assure you that they sufficiently address the concerns raised in the research report."
A Starbucks spokesperson confirmed that a future update to the app will bring a new credential storage method that will no longer expose usernames and passwords as plain text. The company said it expects this update to be ready "soon."
Neiman Marcus is making amends for its recent data breach with a public apology, offering a free year of credit monitoring service to any customer who shopped with a payment card over the past year. CEO Karen Katz apologized Thursday to customers affected by the hack via a statement on the company's Web site.
"We deeply regret and are very sorry that some of our customers' payment cards were used fraudulently after making purchases at our stores," Katz wrote. "We want you always to feel confident shopping at Neiman Marcus, and your trust in us is our absolute priority."
More details are coming to light about the Neiman Marcus breach. In a call with credit card companies, Neiman Marcus admitted that the time stamp on the first intrusion was in mid-July, but the company first learned about suspicious activity in mid-December. Neiman Marcus defended its decision not to disclose anything until last week, saying it waited to confirm evidence. The retailer said that the theft wasn't fully contained until Jan. 12 and only affected shoppers who made in-store purchases and not those who shopped online.
The retailer is taking steps to figure out how its customers' credit card information was hacked. Neiman has not publicly given any estimate of how many credit card numbers were stolen, or how many customers were affected, but it noted that it does not collect PINs in its stores. Customers' Social Security numbers and birth dates were also not affected.
Neiman Marcus also said on Thursday that it had "no knowledge of any connection" between its data breach and Target's (NYSE: TGT).
Neiman Marcus Confirms Credit Card Data Breach
Target Data Breach Gets Worse, 110 Million Shoppers At Risk
Target Now Says 70 Million People Affected by Breach
Target Admits Encrypted PIN Data Was Stolen In Data Breach
Report: Target Shoppers Spent 20 Minutes on Hold in Breach Aftermath