Update, Jan. 17: Starbucks has now issued the promised update to the app.
Starbucks says it will make further updates to its iOS app to address concerns raised by a security researcher about the way the app stores user names and passwords. The company issued an open letter to customers this morning, telling them that the company has already taken steps to protect their personal information, and saying that it will go further in a forthcoming update to the app.
Retail technology columnist Evan Schuman reported on the situation in Computerworld yesterday, citing the work of security researcher Daniel Wood. The problem, according to the Computerworld report, is that Starbucks is storing the user names and passwords in clear text on the device, in a way that can be accessed using the right tools when connected to a PC.
Here’s the full text of the letter issued by Starbucks this morning:
January 16, 2013
Your security is incredibly important to us. This week a research report identified theoretical vulnerabilities associated with the Starbucks Mobile App for iOS in the event a customer’s iPhone were to be physically stolen and hacked.
We’d like to be clear: there is no indication that any customer has been impacted by this or that any information has been compromised. Regardless, we take these types of concerns seriously and have added several safeguards to protect the information you share with us. To protect the integrity of these added measures, we are unable to share technical details but can assure you that they sufficiently address the concerns raised in the research report.
Out of an abundance of caution, we are also working to accelerate the deployment of an update for the app that will add extra layers of protection. We expect this update to be ready soon and will share our progress here. While we are working on the update, we would like to emphasize that your information is protected and that you should continue to feel confident about the integrity of our iOS app.
We appreciate your business and believe it is our job to earn your trust as a customer. We also know that constant vigilance is the best way to protect you and the information you share with us. If you think your information may have been compromised for any reason, please contact our Customer Care team at 1-800-23-LATTE or at www.starbucks.com/customer.
Starbucks chief information officer