UPDATE: It's now posted in the first comment. Starbucks employees say in the open thread below that a laptop with 97,000 employees' social security numbers, names and addresses was stolen, and that a message about this theft was sent to the partners. Somebody please post THE FULL TEXT OF THE MESSAGE in the comments below to verify this.
November 22, 2008
Dear _____:
Because Starbucks takes out commitment to safeguarding the personal information and security of our partners very seriously, we are writing to inform you of a recent incident that may have involved a breach of your private information (including name, address and social security number). We are sending this letter to not only notify you about the incident, but also to share information about some safeguarding steps that we recommend you undertake to ensure that your information is fully protected and secure.
Starbucks Enterprise Security learned that a laptop containing partner information was stolen on October 29, 2008. The private information of approximately 97,000 US Partners, including yours, was stored on this laptop. A police report was filed with the Seattle Police Department. At present, we have no indication that the private information has been misused.
As a precaution, we ask that you monitor your financial accounts carefully for suspicious activity and take appropriate steps to protect yourself against potential identity theft. To assist you in protecting this effort, Starbucks has partnered with Equifax to offer, at no cost to you, credit watch services for the next year. This service provides you with an early warning of any changes to your credit file. Enclosed you will find a description of the service and enrollment instructions.
In addition, the Federal Trade Commission has released a comprehensive guide that may provide you with valuable information to help protect yourself against and deal with identity theft. It is available for free online at http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/about-identity-theft.html.
When these incidents occur, we take the opportunity to once again review our procedures for protecting data and educate our partners about ways to further protect their personal information. We also continue our work to prevent future incidents from occurring. In fact, we are currently implementing encryption solutions where appropriate.
Again, while we have no evidence that your personal information has been misused or compromised, we believe it is important that you are fully informed of the potential risks associated with this incident. Starbucks regrets any inconvenience this situation may cause.
If you have any questions, please contact the Starbucks Partner Contact Center.
Signed,
Russell Walker
vp, Enterprise Security
Starbucks Coffee Company
Information about the Equifax program is on the back of the letter.
Posted by: BL | November 22, 2008 at 10:01 PM
I'm looking at my letter right now. It's longish, and standard, but I'll see if I can't get it typed up for y'all.
Posted by: SadDaysAhead | November 22, 2008 at 10:02 PM
Thanks for that BL, you spared me!
Posted by: SadDaysAhead | November 22, 2008 at 10:02 PM
This is classic...
"We F'd up and weren't responsible for your information - we're awfully sorry, you know we take this very seriously, but hey, in any event - go ahead and take care of this on your own."
Wow, thanks for watching my back Starbucks!
And why is it that *any* laptop in the company has local copies of Partner information stored on the drive?? Really? I realize that this isn't an IT company, but come on. This should have never been possible.
Posted by: SirensBlazing | November 22, 2008 at 10:07 PM
A similar thing happened last year to employees of Chicago Public Schools. No laptop at ANY company should ever have information like that on the drive. But obviously it happens.
Posted by: Pattie | November 22, 2008 at 10:57 PM
1st sentence "out" should be "our"
Posted by: BL | November 22, 2008 at 11:08 PM
So if my identity gets stolen, you're paying for damages, right guys? Since it's your fault..? No? Oh, you're not? Thanks guys! Talk about legendary..
Posted by: | November 22, 2008 at 11:08 PM
The Equifax service includes a $2,500 damage protection with a $250 deductible.
Posted by: BL | November 22, 2008 at 11:12 PM
Does anyone know if this applies to ex-partners? or just current ones?
Posted by: Ex-Partner | November 22, 2008 at 11:20 PM
Let's just assume that there is absolutely NO mis-use of the information on the laptop. Let's also assume that we are lucky enough to catch the guy:
What is the value of the laptop? If the laptop itself is worth less than $5k than it is quite possible the County (King County) may 'decline to file' the case. King County is in a huge budget shortfall, and so smaller prosecutions are being pushed out to other jurisdictions (municipal courts) or not prosecuted at all:
http://seattletimes.nwsource.com/html/localnews/2008159764_kingbudget05m.html
So, if the County doesn't file on it, the City of Seattle, under this circumstance, could pick up the case. (I'm making that assumption because the incident was filed with the Seattle Police Department per that letter, so it is a safe assumption) So then the City of Seattle would file a "theft" charge against the person. (And the City definitely would fully prosecute this).
So now the accused person is facing a gross misdemeanor, punishable by a maximum of one year in jail and/or a $5000 fine.
Then what? I've heard Assistant City Attorneys murmur that the cases they get from the county will be fully prosecuted, and considered more serious because it *could* have been filed as a felony. The City will definitely attempt to seek jail time and restitution.
Of course, what actually ends up happening within Seattle Municipal Court will depend heavily upon which judge it gets set in front of and what kind of history this guy has.
And I've made A LOT of assumptions above.
Posted by: Melody | November 22, 2008 at 11:26 PM
Just wait until that laptop containing the Gold Card data gets stolen.
Posted by: truth | November 23, 2008 at 12:42 AM
But heaven forbid Starbucks strategic plans are stolen. Uncle Howie call James Bond or better yet Nancy Drew!
Posted by: BOSTON STARBUCKS REBEL | November 23, 2008 at 03:04 AM
Just found out I'm one of them...guess that's what three years in starbucks gets me, I wasn't part of the other 2 thefts in the past years!
Posted by: Ryan (SS) | November 23, 2008 at 03:39 AM
Am I having Deja Vu? Did this same exact thing not happen just a few years ago as well? I recieved a letter a few years ago with this same exact thing. What the hell is going on with the security over there? This is very serious as far as I'm concerned and since it has happened already you would think the company would be extra sensitive about this. Unbelievable!!!
Posted by: Darleen | November 23, 2008 at 04:55 AM
Darleen, the funny thing is... Starbucks is not very careful with partners' information. My first week at the SSC, I was given a laptop from a storage room full of about a half dozen laptops and PCs. I asked when we needed to inventory them and the reply was. "Oh we don't do that. If a person had a mind about them, they could walk outta here with some nice equipment." They've handed out locking cords on a couple of occasions but there's no mandate... you still see laptops just sitting out in the open. At one point in time P&AP was walking around grabbing laptops and leaving a note on the partners' desks to come retrieve it (and a stern talk to)... but now that Francis is on sabbatical, no one probably cares.
Posted by: Pat Nerr | November 23, 2008 at 05:10 AM
Why is this kind of information on a laptop, that can easily be stolen? This makes no sense to me.
Posted by: Kat | November 23, 2008 at 06:32 AM
i got my letter this morning! woot.
Posted by: yay | November 23, 2008 at 06:34 AM
I just wish the letter had given further information! ..Is the information password-protected? Is it easily accessible to anyone who looks at it?
Posted by: Ripped | November 23, 2008 at 08:39 AM
can we say class action lawsuit sbux....u greedy frucks!
Posted by: | November 23, 2008 at 08:56 AM
Go ahead and steal my identity. You'll get your car repo'd and your salary garnished!
Posted by: C | November 23, 2008 at 09:51 AM
Who would want to be me?
Posted by: BOSTON STARBUCKS REBEL | November 23, 2008 at 10:11 AM
I love how it took almost a month for them to say anything... I am so pissed off with the company right now... I love this part of the letter, "but also to share information about some safeguarding steps that we recommend you undertake to ensure that your information is fully protected and secure." UMMMM wait a minute!!! You just gave away my personal information and you wanna give me tips on how im supposed to keep is safe???? Here is another good part, "When these incidents occur, we take the opportunity to once again review our procedures for protecting data and educate our partners about ways to further protect their personal information. We also continue our work to prevent future incidents from occurring." You wanna educate me???? Why didnt you guys learn from a few years back??? Ughh, they piss me off so much!!!!
Posted by: | November 23, 2008 at 10:11 AM
Looks like Starbucks should have had somebody drive over to the Eastside to learn about Microsoft's Bitlocker drive encryption for the corporate laptops.
Posted by: Mike in Seattle | November 23, 2008 at 10:25 AM
Darleen,
Yes, the missing laptops situation happened in 2003/2004 and I think at least 2 or 3 of them were missing. The case was never solved because Starbucks claimed to have had an internal investigation, to which, I believe is also obstruction of justice and reeks of corporate cover up.
I lost my job a few months after the incident because I received a letter very similar to what you guys are getting now. So, don't be surprised if Starbucks uses the missing laptop as a loophole to 'get rid' of the 97,000 more partners for underhanded reasons to cut more labor.
They should NOT have called local police and call in the FBI instead. It's possible Corporate is using SSC as a 'patsy' to blame for the missing laptops. Something to think about.
Posted by: anonymous | November 23, 2008 at 12:25 PM
in all my years at starbucks, i never once saw any meaningful effort at security for laptops. no locks while laptops left in the cube overnight. sensitive material left on desks. no sense of security protocol. wtf does p&ap do all day save worry about how to manage disgruntled employees. nobody is in charge of the circus...
Posted by: beantheredonethat | November 23, 2008 at 12:26 PM
I have had this happen to me twice while working for bux. They don't even actually pay for all of your identity to be protected. They just protect you through one credit agency, but there is three. So when you are responsible and try to take care of it, you will end up paying to protect your identity through the other two credit agencies.
Posted by: | November 23, 2008 at 12:55 PM
Anonymous at 10:25am -
Maybe I'm being dense here but I don't see the connection btw your getting that notification letter and your losing your job a few months later (?), please connect the dots for me.
From what I've heard about the damage identity theft can cause, Equifax's $2,500 is a drop in the bucket. But unless someone is successfully charged with the laptop theft, and they can then be linked with whatever fraud might ensue, I would imagine it would be very difficult to hold Starbucks liable.
Sigh.
Posted by: Chucktown Barista | November 23, 2008 at 01:23 PM
Completely ridiculous to think laptops don't have this stuff on them. Any data geek would be lying if they did say an obvious common key such as ssn isn't used.
Why the laptop wasn't at least encrypted though is laughable
Posted by: stl | November 23, 2008 at 01:33 PM
To Chucktown Barista,
I'm not saying they're related to my job loss, but one can never know. At the time, the missing laptop affected partners with 5 or 6 digit numbers.
However, the recent missing laptop fiasco shows that Starbucks is careless about security OR is letting it happen on purpose for underhanded reasons.
Who benefits to play dumb in front of police? SSC or Corporate? If the FBI was involved, Corporate would be singing a different tune.
Posted by: anonymous | November 23, 2008 at 02:07 PM
To Chucktown,
Also, think about it. WHY did'nt they contact the FBI and only local police.
Posted by: anonymous | November 23, 2008 at 02:09 PM
"Why the laptop wasn't at least encrypted though is laughable"
We don't know that it wsn't encrypted.
Everyone is freaking out, this kind of thing happens to LOTS of companies. It happens to the goverment, to schools, to all sorts of employers.
You all keep blaming starbucks, but you have no idea what the real situation is. You don't know anything stop being so HATEFUL
Posted by: Christin | November 23, 2008 at 02:09 PM
97,000 partners??!! Isn't that, like, 3/4 of all the partners? How many partners does SBUX have these days?
Posted by: #1 | November 23, 2008 at 02:16 PM
LoL stolen? or could it just be misplaced somewhere in the building? That would be a farce.
Posted by: Mysticboi | November 23, 2008 at 04:20 PM
I was also one of the letter recipients.
All I can say is, wait until this happens to you.
Don't tell me not to be anxious or angry, OK? I've got good credit and I worked hard to get it and keep it that way. If the worst happens I will be the one who will have to get the mess cleaned up.
Posted by: ShiftyinNV | November 23, 2008 at 04:25 PM
I called the PCC after I got my letter and they informed me that the laptop was stolen out of someone's home. Apparently the partner who had the laptop stolen worked at the enterprise help desk, but worked out of the home. They were running something related to the databases, and that night i guess his laptop was stolen out of the home.
Call PCC to confirm this, cause the first question I asked was "Why would all this info be on a laptop?"
Posted by: tomokun | November 23, 2008 at 05:22 PM
Even if they needed the information on an individual laptop, shouldn't the information be stored on a remote server then accessed via a secure encrypted connection? Something like Terminal Server comes to mind, since even small private businesses have that level of security.
Posted by: | November 23, 2008 at 05:46 PM
Class action. How do we file, how do we begin?
Let's do this. I'm not even kidding. This is ridiculous; information like this should not be stored on a laptop. It's to prevent crap like this.
How do we file, how do we begin?
Posted by: Barista Joe | November 23, 2008 at 06:20 PM
I work at a local police dept (24 years & counting) I have seen many cases of identity theft. Please do not blow this off, you should be very diligent about keeping tabs on your credit. Just because it does not happen right away does not mean it will not happen later on. There are a lot of people out there just waiting to get this type of information and bleed you dry.
Good Luck!
Posted by: Kathy | November 23, 2008 at 06:27 PM
If in fact, a home was burglarized, the probably just wanted the laptop. They deleted the info and sold it on ebay. I, too got the letter but I'm not very concerned. Unless, someone comes forward and says that they are having identity theft problems, relax.
Posted by: spence | November 23, 2008 at 06:34 PM
I'm an ex-partner, 151XXXX. I just got this letter.... can we say "class-action"?
Posted by: Alex | November 23, 2008 at 06:49 PM
Add me to the list for lawsuit. I am glad Sbux cares so much for me that it protects only $2500 of my life.
I got the letter today to. As did my roommate. Can you said fed up with sbux?
Posted by: GRTL | November 23, 2008 at 07:27 PM
Can any lawyers chime in on this one? I was wondering- does acceptance of the credit monitoring service constitute a settlement? Because I need to take a look at my report, but I want to hang on to my right to sue their collective ass.
Posted by: Alex | November 23, 2008 at 07:46 PM
Spence,
To delete the laptop would not be so easy if the laptop has a user password to open up the drive's contents or to access the disk utility app to reformat the hard drive.
Whoever stole it benefits to SELL the information of the database at the highest bidder. It's far more valuable than the laptop itself. THINK, Spence. THINK!
To sell it on EBay is the dumbest thing the crook would do.
So, the question begs is WHO knew this person's laptop had Starbucks info in there and where that person lives?
Was it corporate espionage or a setup to get rid of the partner information to make the partners 'non-existent' in the system (however, it's debatable because the paychecks would keep coming and their info are to be already backed up in the archive terminal or such)?
Something to think about.
Otherwise, people, file the lawsuit if necessary.
Posted by: anonymous | November 23, 2008 at 08:30 PM
Oh and by the way, if this affects 97,000 partners, it is national in level, not local which means it requires the attention of the Federal Bureau of Investigation.
NOT local police.
This is a federal crime and most likely class-action lawsuit.
Posted by: anonymous | November 23, 2008 at 08:33 PM
I'm pretty sure that until there are actual provable damages, you have no lawsuit.
It's likely that the information has been deleted. Unless the thief knew that information was there, and wanted that specific information I cannot see any reason why they would attempt to get around any passwords etc. that are on the laptop. They would likely just format the thing and pawn it, or ebay it.
As such, until any of your information is used and can be tracked back to this laptop/individual, you have no civil case (although, I bet you could find a lawyer willing to try anyway - they get paid regardless).
Posted by: Gord | November 23, 2008 at 08:36 PM
LOL. I can't even get Howard Schultz's signature on my registered Starbucks card. I really don't know much about the law of class actions, so I haven't weighed in on that.
Posted by: Melody | November 23, 2008 at 08:37 PM
^ My post above was directed at anon at Posted by: | November 23, 2008 at 06:26 PM.
Posted by: Melody | November 23, 2008 at 08:40 PM
I filed a complaint against Starbucks with the FTC Bureau of Consumer Protection (a website I got to through filing the fraud alert). Although technically we're employees in this case and not consumers, any company or institution that requires individuals to give them sensitive information, which they then use and store, has a responsibility to secure that information. Period.
Posted by: Chucktown Barista | November 23, 2008 at 09:19 PM
I got my letter, and one of the parnters in my store just had all of the money stolen from her account by someone a full state away. She didn't lose her ATM card or any other card. Have no idea if it has anything to do with this whole situation, but someone got her bank account number and personal info and bled her accounts dry. She has had to file police reports and change all her accounts and hopefully will get her money replaced by the credit union she banks at. I HOPE this has nothing to do with the laptop being stolen and is just some freaky coincidence, but I am taking every precaution just in case. I have worked hard to build good credit and save money, and I will not have some morally corrupt lowlife steal that from me.
Posted by: worriedaboutgoodcredit | November 23, 2008 at 09:20 PM
Shareholders, consider this: the 12 months of Equifax credit monitoring costs $69.95. Multiply that by 97,000 employees ...
Even if Starbucks got a discount and not all employees enroll, think about the cost of this sloppy, sloppy data management.
Posted by: Chucktown Barista | November 23, 2008 at 09:31 PM