The world’s largest coffeehouse, Starbucks, has confirmed a data breach stemming from a phishing attack on a business partner’s employee portal.
The February 2026 cyber attack targeted a Starbucks Partner Central worker, enabling the attacker to access employee data.
Upon learning of the data breach, Seattle, Washington-based Starbucks launched an investigation and notified relevant law enforcement authorities.
Starbucks confirms employee data breach
Starbucks has determined that the attacker accessed the personal information of its employees after breaching a partner’s portal that it uses to manage payroll and employee benefits. Starbucks says the data breach occurred between January 19 and February 11, 2026.
However, the coffeehouse learned of the data breach nearly a month after it occurred, highlighting the importance of real-time monitoring.
“On or about February 6, 2026, Starbucks Corporation (“Starbucks” or “we”) became aware of potential unauthorized access to certain Starbucks Partner Central accounts,” the company stated. “The investigation has determined that an unauthorized third party accessed certain Starbucks Partner Central accounts after obtaining the login credentials through websites impersonating Partner Central.”
The data breach leaked the victims’ names, dates of birth, Social Security Numbers, financial account numbers, and bank routing numbers. Those personal details could enable online fraudsters to commit identity theft. However, the data breach does not affect customers, and Starbucks’ IT systems were unaffected.
According to a data breach notification filed with the Office of the Maine Attorney General, the leak affected 889 employees. Starbucks employs 380,000 people across 41,000 locations in 88 countries. It reports annual revenue of about $37.2 billion.
Meanwhile, Starbucks says it has implemented additional security measures to enhance the security of the Partner Central accounts to prevent further compromise.
Additionally, the coffeehouse is offering 24 months of free identity theft protection services through Experian IdentityWorksSM. Starbucks has also notified impacted individuals through written data breach notices beginning March 10, 2026.
So far, Starbucks has not attributed the data breach to any threat actor and has not disclosed receiving any ransom demands. Cybercriminals typically publish the stolen information on dark web or surface data leak sites once ransom negotiations fail. No evidence that the attacker has published or misused the stolen information.
When neither the victim organization nor the threat actor releases any information, it could signal that ransom negotiations were underway or under consideration. Nevertheless, Starbucks has not indicated that it plans to pay the ransom.
However, the FBI discourages paying the ransom as it does not guarantee data recovery, and it incentivizes cybercriminals to target the organization.
At the time of publication, no cybercrime gang has taken responsibility for the attack on the world’s largest coffeehouse chain.
This is hardly the first time the coffeehouse has experienced a data breach. In 2022, Starbucks Singapore suffered a data breach that affected approximately 220,000 customers.
In November 2024, Starbucks also experienced a Termite ransomware attack affecting Blue Yonder, a supply chain software provider, highlighting the risk posed by third-party vendors.
“When employees are tricked into logging into spoofed portals, attackers inherit the same level of access as the legitimate user,” explained Matthew Stern, Chief Security Officer at Hypori. “That becomes especially concerning when those systems contain payroll or HR data tied to bank accounts, routing numbers, and other financial information, where a single compromised login can quickly open the door to identity theft or financial fraud.”
Increased social engineering risk
Social engineering attacks exploiting the human factor have proven effective against corporate organizations with the best cyber defenses.
Recently, the notorious hacking group ShinyHunters has stepped up its social engineering attacks, targeting numerous organizations, including Single Sign-On (SSO) platforms such as Okta, Microsoft, and Google.
The voice phishing (vishing) attacks have impacted hundreds of downstream victims, highlighting the supply chain vulnerabilities of third-party vendors that attackers could exploit to target primary organizations.
