Caribou Coffee Data Breach Could Have Exposed Credit Cards

Over 200 locations affected

Should brands be held to a higher standard when it comes to protecting customer data? Getty Images
Headshot of Marty Swant

Customer data was stolen from more than 200 Caribou Coffee locations, the Minneapolis-based coffee chain said on Thursday.

In a letter to loyalty customers, Caribou Coffee said credit card data and other information was stolen from as many as 265 locations in Minnesota and other states, including Colorado, Florida, Georgia, Iowa, North Carolina and Wisconsin.

The company said it first noticed “unusual activity” on Nov. 28 and started working with the cybersecurity firm Mandiant. On Nov. 30, Mandiant determined the breach occurred through the company’s point-of-sale system. According to Caribou, orders made through the company’s loyalty program were not affected by the breach.

In the letter, Caribou Coffee president John Butcher apologized for the breach.

“Please be assured that we are closely monitoring our systems, data and account access as we always do,” Butcher wrote. “Additionally, we are making the necessary changes to strengthen our network against any future attacks, and improve our payment systems to protect your information going forward. We also are in regular communication with the credit card companies and will provide them with the information necessary to notify the banks that may have issued the affected payment cards.”

It’s just the latest in a string of security breaches that continue to plague a variety of brands and industries. Last month, Marriott said a database with 500 million guest records for its Starwood brand was compromised, and earlier this week, NASA said a data breach exposed employees’ personal information.

The increased frequency of data breaches, along with increased scrutiny of data collection practices, raises questions about whether brands should be held to a higher standard when it comes to protecting customer data.

Congress could take up the issue next year. A number of lawmakers have expressed interest in federal legislation that would require prompter reporting after breaches occur and change how data is collected by tech companies and consumer brands.

@martyswant Marty Swant is a former technology staff writer for Adweek.