Starbucks has disclosed a data breach attackers gained access to hundreds of employees’ Starbucks Partner Central accounts, which are used for managing employment information, personal data, benefits, and HR information.
In a letter sent to affected staff members, the company said: “On or about February 6, 2026, Starbucks Corporation (“Starbucks” or “we”) became aware of potential unauthorized access to certain Starbucks Partner Central accounts.”
Starbucks is the world’s largest coffee shop chain with 380,000 employees and nearly 41,000 shops in 88 countries. In a data breach notification filed with the Attorney General in Maine, Starbucks said 889 employees were affected.
“Upon becoming aware, Starbucks commenced an investigation and began taking measures to assess and contain the incident. In connection with those efforts, we retained leading experts and notified certain law enforcement authorities,” the coffee giant said.
“Based on our investigation, we understand that some of your personal information, including your name and social security number, date of birth, and financial account number and routing number, may have been accessed by an unauthorized third party,” it continued.
Starbucks said it took prompt action to investigate the incident’s scope and nature, and notified law enforcement. It also took measures to further strengthen access controls around Starbucks Partner Central accounts.
The company is offering complimentary access to Experian IdentityWorksSM for two years. It also encouraged employees to activate the fraud detection tools provided by Experian.
Commenting on this, Simon Pamplin, CTO at Certes, said: “This incident follows a pattern that is becoming increasingly familiar. The attackers did not breach Starbucks’ infrastructure directly. They obtained credentials through spoofed login pages and used legitimate access to reach sensitive employee data. Once inside an authenticated session, the controls designed to keep attackers out became largely irrelevant.”
He added that the data exposed represents a durable set of identifiers. “These are not credentials that can be reset with a password change. They retain value to criminal groups for years and can be combined with information from other breaches to enable fraud, identity theft and targeted social engineering long after the incident itself has faded.”
Pamplin said the access window of approximately three weeks is also worth noting. “Extended dwell time increases the likelihood that data was systematically accessed and extracted rather than incidentally exposed. The question organisations must ask in the aftermath is not only how access was gained, but what was readable during that period and for how long.”
24 months of credit monitoring addresses the immediate concern for those affected, but the liability horizon for this category of data extends well beyond that window, Pamplin adds. Social Security numbers and financial identifiers never expire, so the risk of misuse does not diminish on a fixed timeline.
“Incidents driven by credential theft reinforce the importance of ensuring that even where access controls are bypassed, the underlying data remains protected through data-centric, quantum-safe controls. Perimeter and identity defences are a necessary foundation, but the resilience of an organisation ultimately depends on whether the data itself is rendered unusable outside its authorised context.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.