This article is more than 1 year old

Costa Coffee Club members wake up and smell the data breach

A rich roast of fail could brew up a lot of trouble for members

Costa Coffee is warning customers it may have suffered a security breach and, alongside resetting the passwords for all of its Coffee Club accounts, is going to implement a "new format" for users' passwords.

The Costa Coffee Club is Costa's "little way of saying thanks", and it certainly is little, offering five pence for every pound spent in-store, and "unlimited free Wi-Fi".

The app-accessed club requires a fair amount of customers' information, including names, emails, birth dates, phone numbers and physical addresses.

The Register contacted Costa after readers alerted us to the breach.

A spokesperson offered the following statement: "We can confirm contact information from a very small number of loyalty card holders (around 0.02 per cent) was accessed. We do not hold any financial data on the Costa loyalty card system. We immediately contacted the customers affected and we are continuing to remain vigilant."

In an email distributed to Coffee Club card members and seen by The Register, Costa explains it has "recently identified a small number of Coffee Card members (around 0.02 per cent) with some unusual activity on their accounts". As a result, Costa claims it has conducted "a full security review" and has "in the interim" removed online access to Coffee Club accounts.

A Costa spokesperson indicated to the Reg that the 0.02 per cent affected by "unusual activity" number "in the low hundreds".

"We have already contacted those customers affected and we are taking the additional precaution to reset the account passwords of every Coffee Club member," states the email.

The coffeehouse also intends to introduce "a new format for your password to further optimise security and protect your Coffee Club points".

The club did not allow members to use passwords greater than 15 characters in length. Costa has not so far confirmed how its passwords were stored. As such, it seems as if a breach could allow some quite serious criminal activities.

Several members of the Coffee Club have taken to Twitter to complain about a lack of information in the email from Costa.

The Register understands that the Information Commissioner's Office has not been contacted to report the breach. ®

More about

More about

More about


Send us news

Other stories you might like