Starbucks has been caught storing user names, passwords and even location data in clear text in its iOS payment app since mid-November, although it appears the company has been aware for a while of the security risk, ComputerWorld reports. The data can be seen by anyone with access to an iPhone after connecting the device to a computer – a jailbreak isn’t even necessary to get the data.
In a telephone interview with the publication, two Starbucks executives including CIO Curt Garner and Chief Digital Officer Adam Brotman acknowledged having known about the issue. “We were aware,” Brotman said. “That was not something that was news to us.” He further added that the password issue shouldn’t be of concern anymore because “we have security measures in place now related to that,” without revealing what “extra layers of security” Starbucks has enabled to make “usernames and passwords safe.”
It is believed that Starbucks intentionally chose to store the password on the phone in order to make purchases more seamless without requiring users to enter their passwords every time they pay for something. Users would have to only enter the password once when activating the payment portion of the iOS app, at which point they would be able to make unlimited purchases without entering it again, assuming there is enough credit.
The good news, though, is that Starbucks has pledged to make some important changes to help keep users’ information secure. Starbucks on Thursday announced that it is “working to accelerate the deployment of an update for the app that will add extra layers of protection” that the company expects “will be ready soon.” Starbucks emphasized, however, that no user passwords had yet been compromised and that users should feel safe that their data is secure on the app.