Phishing Campaign Against Starbucks' 'Partner Central' Portal Compromises Data of 889 Employees

Starbucks Discloses Data Breach Affecting 889 Employees via Phishing Attack

MEDIUM
February 12, 2026
March 12, 2026
4m read
Data BreachPhishing

Impact Scope

People Affected

889 employees

Industries Affected

RetailHospitality

Geographic Impact

United States (national)

Related Entities(initial)

Other

Starbucks Corporation Experian

MITRE ATT&CK Techniques

T1566.002Initial Access

Spearphishing Link

T1078Defense Evasion

Valid Accounts

T1555Credential Access

Credentials from Password Stores

Full Report(when first published)

Executive Summary

Starbucks Corporation has disclosed a data breach that compromised the sensitive personal and financial information of 889 of its employees (referred to as "partners"). The incident resulted from a phishing campaign that successfully harvested credentials for the company's internal "Partner Central" portal. The unauthorized access took place between January 19 and February 11, 2026. After discovering the suspicious activity on February 6, Starbucks, with the help of external experts, eradicated the threat from its systems. The compromised data includes Social Security numbers and bank account details. The company has emphasized that the breach was contained to the employee portal and did not impact any customer information. Affected employees are being offered 24 months of complimentary identity protection services.

Threat Overview

The attack was a classic credential phishing campaign. Threat actors created websites that convincingly impersonated the legitimate Starbucks "Partner Central" login page. Phishing emails were then sent to Starbucks employees, luring them to these fake sites where they were prompted to enter their login credentials. Once the attackers harvested a valid username and password, they used them to log into the real portal and access the employee's personal information.

The extended duration of access, from January 19 to February 11, suggests that the attackers may have been accessing accounts intermittently to avoid detection, or that the company's monitoring systems did not immediately flag the anomalous logins.

Technical Analysis

The attack chain followed a standard phishing-to-breach methodology:

  1. Reconnaissance: Attackers identified the URL and appearance of the legitimate "Partner Central" portal.
  2. Weaponization: They created imposter websites and crafted convincing phishing emails.
  3. Delivery: Phishing emails were sent to Starbucks employees (T1566.002 - Spearphishing Link).
  4. Exploitation (Social Engineering): Employees clicked the link and entered their credentials on the fake site (T1598.003 - Spearphishing via Service).
  5. Installation/Access: Attackers used the stolen credentials to log in to the legitimate portal (T1078 - Valid Accounts).
  6. Actions on Objectives: The attackers accessed and likely exfiltrated the sensitive PII and financial data available within the portal.

Impact Assessment

While the number of affected individuals (889) is relatively small compared to other major breaches, the impact on those employees is severe. The exposure of Social Security numbers combined with financial account and routing numbers puts them at extremely high risk for:

  • Identity Theft: Criminals can use this information to open new lines of credit, file fraudulent tax returns, or apply for loans.
  • Direct Financial Fraud: The bank account information could be used to attempt unauthorized electronic funds transfers.
  • Targeted Phishing: The attackers know the victims are Starbucks employees, which allows for highly convincing secondary phishing attacks.

For Starbucks, the incident is a blow to its internal security posture and trust with its employees. While no customer data was involved, the breach of sensitive employee data still carries reputational risk and the direct costs of the investigation, remediation, and identity protection services.

Data Exposed

  • Full Names
  • Social Security numbers (SSNs)
  • Dates of Birth
  • Financial account numbers
  • Bank routing numbers

Detection & Response

Starbucks detected suspicious activity on February 6, nearly three weeks after the unauthorized access began. This indicates a potential delay in detecting the anomalous logins. Once detected, the company engaged external experts and reports that it took five days to fully contain the incident and remove the attackers' access. The company has notified law enforcement and is providing identity protection services through Experian to the affected employees.

Mitigation

  1. Multi-Factor Authentication (MFA): The single most effective control that could have prevented this breach is the implementation of MFA on the "Partner Central" portal. Even with stolen credentials, the attackers would have been unable to log in without the second factor.
  2. Employee Security Training: Continuous training is needed to help employees recognize and report phishing attempts. This should include simulations of modern phishing techniques.
  3. Email Security: Deploy advanced email security solutions that can detect and block phishing links and impersonation attempts before they reach employee inboxes.
  4. Credential Breach Monitoring: Proactively monitor the dark web and criminal forums for compromised corporate credentials to detect breaches faster.
  5. Limit Data Exposure: Review the data available in internal portals like "Partner Central." Sensitive information like SSNs and bank account numbers should be masked or only accessible after an additional step-up authentication, if they need to be displayed at all.

Timeline of Events

1
January 19, 2026
Unauthorized access to employee accounts begins.
2
February 6, 2026
Starbucks becomes aware of suspicious activity.
3
February 11, 2026
Unauthorized access is fully contained.
4
February 12, 2026
This article was published

Article Updates

February 20, 2026

New details reveal the Starbucks data breach was a supply chain attack, compromising a third-party vendor's access to Partner Central, not direct employee phishing.

Update Sources:
cpomagazine.comStarbucks Confirms Data Breach from a Social Engineering Attack on a Business Partner
cybermanagementalliance.comFebruary 2026: Recent Cyber Attacks, Data Breaches, Ransomware Attacks

March 12, 2026

Starbucks filed breach notification with Maine AG, confirming exposure of employee dates of birth in addition to previously reported data.

Update Sources:
securityweek.comStarbucks Data Breach Impacts Employees
bleepingcomputer.comStarbucks discloses data breach affecting hundreds of employees
esecurityplanet.comStarbucks HR Portal Breach Exposes Employee Information

MITRE ATT&CK Mitigations

Multi-factor Authentication

M1032enterprise

Implementing MFA on the 'Partner Central' portal would have prevented the attackers from using the stolen credentials.

Mapped D3FEND Techniques:

D3-MFA

User Training

M1017enterprise

Training employees to recognize and report phishing emails is a critical layer of defense.

Restrict Web-Based Content

M1021enterprise

Use email and web filtering to block access to known phishing sites and newly registered domains.

Mapped D3FEND Techniques:

D3-UA

Timeline of Events

1
January 19, 2026

Unauthorized access to employee accounts begins.

2
February 6, 2026

Starbucks becomes aware of suspicious activity.

3
February 11, 2026

Unauthorized access is fully contained.

Sources & References(when first published)

Starbucks Breach Exposes Employee Data and Financial Info
Ampcus Cyber (ampcuscyber.com)
Starbucks Data Breach Exposes Personal Information of Hundreds of Users
Cyber Press (cyberpress.com)
Starbucks discloses data breach affecting hundreds of employees
BleepingComputer (bleepingcomputer.com)
Starbucks data breach impacts 889 employees
Security Affairs (securityaffairs.com)

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

StarbucksData BreachPhishingPIISSN

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.