Caribou Coffee Hit with Security Breach at 265 Stores

    It's unclear how many guests were affected.
    Security | December 2018

    flickr: Evan Didier

    Caribou said it contained the breach and stopped the unauthorized access immediately.

    Caribou Coffee issued a notice to guests December 20 regarding a “recent incident that may have involved access to your payment card information.” The data breach, the latest in a string of security issues for restaurants, involved at least 265 of the Caribou Coffee’s branches, although it remains unclear how many customers were affected.

    The chain said it identified “unusual activity” on its network on November 28 through its information security monitoring process.

    “Upon identifying this issue, we began working with Mandiant, a leading cyber security firm, to understand the scope of the incident and determine whether there had been any unauthorized access,” Caribou said in a statement.

    Two days later, Mandiant reported that it detected unauthorized access to Caribou’s point-of-sale systems, exposing some of its customers’ data.

    Caribou said it contained the breach and stopped the unauthorized access immediately and is confident the breach was contained.

    “We sincerely apologize that this breach occurred and assure you that our team is working to help prevent data security issues from occurring in the future,” Caribou president John Butcher said in a statement. “The privacy and security of your information is very important to us and we remain committed to doing everything we can to maintain the confidentiality of your information. We appreciate your patience and loyalty as a customer.”

    The information targeted was from guests who visited between August 28 and December 3. Caribou said there is a possibility “that your name and credit card information, including card number, expiration date and card security code may have been accessed as a result of this unauthorized activity. Payments made through your Caribou Coffee Perks account or other loyalty account were not affected. Any catering orders placed online with Bruegger’s Bagels, Einstein Bros. Bagels, Manhattan Bagel and Noah’s NY Bagels were also not affected by this breach.”

    Caribou added that is in close coordination with FBI and is cooperating with its ongoing review, as well as using Mandiant to conduct an investigation.

    “Please be assured that we are closely monitoring our systems, data, and account access as we always do. Additionally, we are making the necessary changes to strengthen our network against any future attacks, and improve our payment systems to protect your information going forward,” Caribou added. “We also are in regular communication with the credit card companies and will provide them with the information necessary to notify the banks that may have issued the affected payment cards.

    Click here to see the entire list of affected locations.

    Dunkin’, in November, suffered an authorized breach of its rewards program. In April, it was revealed that up to 37 million customers could have been affected by information possibly leaked on Panera’s website. Applebee’s faced down a hack of 160 units in March, while in limited service, Jason’s DeliArby’sSonic Drive-InChipotlePizza Hut, and Wendy’s grappled with breaches in recent months.