Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Evan Schuman: Starbucks sat on its clear-text password problem for months

Evan Schuman | Jan. 20, 2014
The company is dancing around the question of what it knew and when it knew it, but the security problem was not a revelation for it this week.

This raises a troubling question: If Starbucks had the ability to fix this in one day, why the heck didn't it do that months ago? For that matter, why wasn't the May 2013 version fixed before it went live?

The tendency of many large firms is to do nothing about security holes that they've learned about until either a major breach happens (e.g., Target and Neiman Marcus) or the media discloses the problem to the public. The latter seems to be the case with Starbucks, and as a columnist, I'm obligated to beat them up for taking no action when they had to know that storing passwords in plain text is sloppy security practice. Of course, if Starbucks officials really did first learn about the problem on Wednesday and then fixed the hole in a day, that would be very impressive. But, as a columnist, I'd have to beat them up for not having known. We security columnists are really hard to keep happy.

But this is the way it looks: Starbucks' security testing did in fact reveal the hole back before May 2013. So it gets points for not being clueless. But Starbucks chose to let the May update be distributed to millions of iPhones and iPads anyway. That's a big minus.

The Starbucks situation raises another issue that also seems to plague many companies. Woods told me that he had tried to tell Starbucks about the password issue for nearly two months. Every time he tried, he was transferred to customer service, which had no idea what to do with the information.

If that prompts a haughty chuckle at the mocha maestro's expense, you might want to stifle it, because it's probably fair to conclude that similar communication holes exist within the vast majority of Fortune 1,000 companies. If someone called your call center today and wanted to report a security hole involving your mobile app or some major problem with your website, would the caller be routed to the mobile or e-commerce team or be shunted off to some never-monitored voicemail? Be honest now.

The heads of IT -- and online and mobile groups -- are typically much more concerned with avoiding calls than making sure the calls get through. They figure (correctly, for what it's worth) that almost all external calls are from customers (send them to customer service), potential employees (off to HR) or salespeople (send them very far away). Switchboard and call center employees are trained well where to send those people -- as well as us lowly members of the Fourth Estate, who are dispatched to media relations -- but people calling in with security or other timely and critical information for IT/mobile/online are ignored.


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.