Time to smell the coffee about Data Breaches by Kevin Duffey
The largest, most popular and fastest growing coffee shop chain in Britain has just written to Loyalty Card members, announcing that their data has been breached.
Costa Coffee and their owners, the Whitbread Group, deserve our sympathy. It looks like they have suffered a criminal attack. And fortunately, Costa don't keep credit card or bank account details in the databases that appear to have been hacked.
But Costa does hold the home address, date of birth, telephone, email and password for its Members. Consumers are lazy enough to re-use passwords, and criminals are ingenious enough to combine data from different sources. So it is possible that individuals could suffer because of this breach.
Costa could have done better. They certainly have handled several aspects of their IT Security, and of their Breach Response, a bit better. For example:
- they limit the password complexity that Members can set up
- they didn't encrypt or "salt" the data they hold for Members
- they are sending replacement Passwords in clear text(!)
- they haven't offered a free Latte to those affected(!!)
Having a Breach does challenge the loyalty of Consumers, which is particularly ironic for a Loyalty Card. The Costa scheme is widely considered to be "among theleast generous in the UK," with The Guardian calculating that 39 Americanos must be purchased to earn 1 free coffee.
But I plan to remain a Member, for three reasons:
- Costa Members get free WiFi
- Costa Latte is the best in London
- Every company is going to be breached. Costa have admitted theirs, and are clearly making an effort to improve their security.
Now, if only they will offer that free Latte!