Customers of the popular tea-shop chain Teavana may be at risk of financial fraud and identity theft, according to a well-known security blogger.
Independent security blogger Brian Krebs said yesterday (April 22) that he had received multiple reports of a data breach on the company's servers.
Krebs' sources told him customer information, including credit and debit card details, may have been exposed and accessed by someone without authorization.
A spokeswoman for Starbucks, which acquired Teavana last year, told TechNewsDaily that the company could not comment on "any ongoing investigation," adding that such matters were often encountered during "the normal course of business."
Atlanta-based Teavana operates nearly 300 company-owned stores in the United States and Canada, and has franchise partners in Mexico and Kuwait.
Krebs said an anonymous reader tipped him off to the possible Teavana breach, which was later seconded by a contact at a major credit-card issuer.
The credit-card source said increasing fraud rates for cards recently used at Teavana was a strong indicator that the company's systems nationwide had been compromised.
It's not clear how many customers might be affected, but a source at a different credit-card issuer told Krebs that in early March his company had detected a pattern of cloned cards being used to purchase high-value gift cards at Target retail stores.
Upon further investigation, the card issuer found that cards used as early as the fall of 2012 may have been cloned and used fraudulently.
"It went from like nothing to 200 counterfeits in one week," Krebs' source said.
The same source told Krebs that the use of cloned cards strongly indicated that criminals had placed malicious software onto point-of-sale machines in order to steal the data stored on cards' magnetic strips.
The seriousness of the case prompted federal law enforcement to launch an investigation into the Teavana breach and subsequent financial fraud.
Data breaches along these lines are dangerous and costly, but they're nothing new. Just this month, Midwestern grocery chain Schnucks told its customers that a data breach had left the information for 2.4 million credit cards exposed to cybercriminals.
While there's no way a customer can tell whether a point-of-sale machine is infected with malware, customers should keep an eye out for physical " skimmers " attached to legitimate machines or held by unscrupulous cashiers.
Card holders can protect themselves from financial fraud by regularly keeping track of their finances, and to arrange with their card issuers so that they are notified if something seems abnormal or the outstanding balance reaches a certain level.