Starbucks Security Breach: The Media Misled You (Update 1)

**UPDATED from 01/17/14 - 07:44 PM EST with the latest, including correspondence from the man who discovered the vulnerability, on Page Two. 

NEW YORK (TheStreet) -- This will be quick and to the point.

I get accused of "sensationalizing" stuff all the time so I can't let this pass. Another case of the "tech media" needing to get over itself.

Here's the headline of a recent ReadWrite article:

Starbucks App Exposed: 10 Million Customers At Risk

And, after a description of the non-situation segments of the media have been hysterical about all week, comes this more even-toned subheading:

Unsafe But Unlikely

Because, yeah, the hacker would A) have to get your phone in his or possession, B) get past the lock screen and C) know how to execute what is a pretty high-tech hack.

Of course, any security vulnerability is a concern and should get addressed by Starbucks (SBUX), however, the media hype on this has been overdone.

If somebody gets your phone, pulling off the Starbucks hack would be the least of my worries. We put so much other personal data that's within relatively easy reach on our devices that most criminals would likely look past this apparent SBUX hole if they even knew how to expose it in the first place. 

This is just another example of the pretentious and self-righteous tech media getting all worked up over nothing. It's an opportunity to take shots at Starbucks and throw a monkey wrench into the emergence of mobile payments.

I wonder if any of these guys have ever been hacked. If they have, they might stop sensationalizing and speak rationally about what happens in most situations.

I recall stepping into a BART station at San Francisco International Airport a couple years ago to discover my debit card wasn't working. I called ING Direct at the time and, apparently, hackers stole my card number after I had used it at a CVS. It was either an inside job or one of those semi-sophisticated operations where your card number gets lifted out of thin air.

In any event, when I called they knew what was up. They asked me if I was tying to make a large purchase at a CVS in Texas. I said no. They said good, it wasn't going to go through anyway. And my new card was in the mail.

Not fun. Somewhat unsettling, but part of the cost of doing business in this increasingly convenient world we live in. We have somehow survived pick pockets. We'll manage in the age of the digital pick pocket.

Layers exist externally to defend oneself against this type of thing -- at your bank for instance. But, more than anything, defend yourself. Keep an eye on your stuff. Check it several times daily. If you're on top of it, you're unlikely to get hurt beyond a relatively minor inconvenience.

On Page Two -- the latest, including correspondence from Daniel Wood, the man who discovered the vulnerability. 


I received an email from Daniel Wood, the security researcher who discovered the vulnerability in the Starbucks app, on Saturday afternoon. 

He wrote:

Rocco, thank you for taking this stance regarding my findings on the Starbucks iOS app.

Here's an update on the Starbucks situation and my comments on some of the sensationalizing ...

You can read Wood's complete comments at  the link, but here are the highlights:
After publishing my vulnerability report on the Starbucks v2.6.1 mobile iOS application, I have been in continuous communications with Starbucks. As you know, Starbucks released an updated version of the application to address these security concerns. I have evaluated the latest version of the Starbucks mobile application (v2.6.2) from the Apple App Store and conducted exhaustive retesting of the application in order to confirm whether the vulnerabilities were successfully addressed ... 

Starbucks has effectively addressed the security issues that were documented in my original report ... however, I do recommend that the above issue be remediated within the next release cycle of the mobile application to prevent a customers' last logged geolocation data from being stored. 
Wood also addressed sensationalism in the media, which, clearly takes aim at the ReadWrite piece mentioned on Page One of the present article:
At no point were Starbucks's data servers compromised, exposing their 10 million customers to the application as some reports have suggested. This was a local exploitable vulnerability on a users device, not a remotely exploitable vulnerability on their servers or any other type of remote code execution vulnerability. 
There you have it. Don't believe everything you read, especially if it comes from over-the-top tech snobs, something Wood obviously is not. 

I (buzzword alert) reached out to SBUX Chief Digital Officer Adam Brotman on this. He couldn't comment at the moment, but asked that I check back in the coming days. 

--Written by Rocco Pendola in Santa Monica, Calif.

Disclosure: TheStreet's editorial policy prohibits staff editors, reporters and analysts from holding positions in any individual stocks. Rocco Pendola is a columnist for TheStreet. Whenever possible, Pendola uses hockey, Springsteen or Southern California references in his work. He lives in Santa Monica.

If you liked this article you might like

3 Attractive ETFs for a Turbulent Market

3 Attractive ETFs for a Turbulent Market

How CVS Plans to Use Its Deal for Aetna to Transform Into Apple

How CVS Plans to Use Its Deal for Aetna to Transform Into Apple

Apple Shares Look Pretty Cheap Here

Apple Shares Look Pretty Cheap Here

Closing Bell: LIVE MARKETS BLOG

Closing Bell: LIVE MARKETS BLOG

Starbucks Stock Is as Cold as a Venti Iced Coffee

Starbucks Stock Is as Cold as a Venti Iced Coffee