Multiple sources in law enforcement and the financial community are warning about a possible credit and debit card breach at Teavana, a nationwide tea products retailer. Seattle-based coffee giant Starbucks, which acquired Teavana late last year, declined to confirm a breach at Teavana, saying only that the company is currently responding to inquiries from card-issuing banks and credit card brands.
Over the weekend, KrebsOnSecurity received a tip from an anonymous reader who said Teavana had suffered a data breach that exposed credit and debit card information. A source at a major U.S. credit card issuer confirmed that the card brand has seen fraud rates indicative of a breach emanating from virtually the entire Teavana franchise, which spans more than 280 stores nationwide. Separately, a federal law enforcement official who asked not to be named said agents were indeed investigating a possible breach at Teavana.
On Sunday, I sent an inquiry to Teavana’s public relations folks. Today, I heard back from Starbucks spokeswoman Jaime Riley, who said Starbucks “takes its obligation to protect customers’ financial information very seriously,” and that the company “has safeguards in place to constantly monitor for any suspicious activity.” But she said the company doesn’t comment on ongoing investigations.
“In the normal course of business, we are contacted by card brands and bank partners to participate in requests to ensure the integrity of all systems, and we participate fully in these requests,” Riley said. “If and when issues are ever substantiated, we will take action to notify and support customers in the most appropriate way possible.”
A source at yet another big debit and credit card issuer said his fraud team became aware of the problem in early March 2013, when the financial institution began seeing a spike in fraudulent charges via counterfeit cards that were being used to buy high-dollar gift cards at Target retail locations.
The institution later found that nearly all of the counterfeit cards had previously been used at Teavana locations across the country, many as far back as late 2012 (Starbucks finalized its acquisition of Teavana on Dec. 31, 2012). The source added that the thieves’ ability to clone cards means that the attackers had almost certainly installed malicious software that extracts data stored on the card’s magnetic stripe — most likely from point-of-sale devices when customers swipe their cards at the register.
If confirmed, the incident would be just the latest breach involving popular retail locations. Last month, Schnucks, a St. Louis based supermarket chain, disclosed that a data breach may have given hackers access to roughly 2.4 million credit and debit cards used by customers at 79 stores. Schnucks told the St. Louis Post-Dispatch that the company called in to investigate the breach — Alexandria, Va. based Mandiant — found evidence that intruders had planted malicious software on the company’s network that was capable of capturing magnetic stripe data.
I’ll have more on this developing story as updates become available.