Costa Coffee is warning customers it may have suffered a security breach and, alongside resetting the passwords for all of its Coffee Club accounts, is going to implement a "new format" for users' passwords.
The Costa Coffee Club is Costa's "little way of saying thanks", and it certainly is little, offering five pence for every pound spent in-store, and "unlimited free Wi-Fi".
The app-accessed club requires a fair amount of customers' information, including names, emails, birth dates, phone numbers and physical addresses.
The Register contacted Costa after readers alerted us to the breach.
A spokesperson offered the following statement: "We can confirm contact information from a very small number of loyalty card holders (around 0.02 per cent) was accessed. We do not hold any financial data on the Costa loyalty card system. We immediately contacted the customers affected and we are continuing to remain vigilant."
In an email distributed to Coffee Club card members and seen by The Register, Costa explains it has "recently identified a small number of Coffee Card members (around 0.02 per cent) with some unusual activity on their accounts". As a result, Costa claims it has conducted "a full security review" and has "in the interim" removed online access to Coffee Club accounts.
A Costa spokesperson indicated to the Reg that the 0.02 per cent affected by "unusual activity" number "in the low hundreds".
"We have already contacted those customers affected and we are taking the additional precaution to reset the account passwords of every Coffee Club member," states the email.
The coffeehouse also intends to introduce "a new format for your password to further optimise security and protect your Coffee Club points".
The club did not allow members to use passwords greater than 15 characters in length. Costa has not so far confirmed how its passwords were stored. As such, it seems as if a breach could allow some quite serious criminal activities.
Several members of the Coffee Club have taken to Twitter to complain about a lack of information in the email from Costa.
Email: Suspicious activity on some Costa Coffee Club accts means they'll reset my pw and implement "new format for your password". Breach?— Marc Wickenden (@marcwickenden) April 22, 2015
Had an email from Costa, looks like a data breach on their loyalty card DB. Very ambiguous, can't figure out what was taken.— kully (@superkully) April 23, 2015
The Register understands that the Information Commissioner's Office has not been contacted to report the breach. ®