Starbucks has reported a data breach impacting hundreds of employees after attackers gained access to an internal HR platform via phishing techniques to access accounts used to manage personal and employment information.

The coffee chain said a joint investigation with external cybersecurity experts found that an unauthorized party compromised almost 900 Starbucks employees via its Partner Central accounts system.

Partner Central is a platform that deals with employees’ details including benefits and other HR information.

On February 6 the incident was filed with the Maine Attorney General and a letter – seen and reproduced by Bleeping Computer – was sent to affected employees.

The letter details that investigators established the attackers were able to access the accounts after obtaining login credentials through websites impersonating the Partner Central portal.

Starbucks added that the criminals had access to the affected accounts between January 19 and February 11.

The personal information exposed in the incident includes employees’ names, Social Security numbers, dates of birth, and financial account numbers.

The company has said that it notified law enforcement and advised affected employees to monitor their bank accounts for suspicious activity that could indicate fraud or identity theft.

The coffee giant said that it is also providing those affected with two years of credit monitoring though Experian Identity Works.

In the notification letter, the company said it had taken “prompt steps to investigate the nature and scope of the incident and respond to it”, including notifying law enforcement and “strengthening security controls related to access to Starbucks Partner Central accounts.”

However, the company did not explain why it took five days to remove the attackers from its systems after the activity was detected.

Simon Pamplin, CTO at security firm Certes, said the three-week access window raises questions about the potential scale of data exposure.

“The access window of approximately three weeks is worth noting. Extended dwell time increases the likelihood that data was systematically accessed and extracted rather than incidentally exposed."

Simon Pamplin, CTO at security firm Certes

“The question organizations must ask in the aftermath is not only how access was gained, but what was readable during that period and for how long,” Pamplin added.

Pamplin added that the risks associated with the exposed information could persist well beyond the two-year credit monitoring period offered by Starbucks.

“Social security and numbers and financial identifiers do not expire, and the risk of misuse does not diminish on a fixed timeline.”

Starbucks employs more than 380,000 workers worldwide and operates nearly 41,000 locations across 88 countries.

The company has previously faced cybersecurity incidents. In 2024 Starbucks was impacted by a supply chain attack after one of its technology partners, Blue Yonder, was hit by a ransomware attack just before Thanksgiving.

A Starbucks branch in Singapore also disclosed a data breach in 2022 that affected more than 219,000 customers.

---

Unlock more exclusive Cybernews content on YouTube.