Starbucks has confirmed a data breach affecting 889 employees after attackers used phishing sites impersonating the company's internal HR portal to steal login credentials and access sensitive employment records. The breach ran undetected for over two weeks, exposing Social Security numbers, financial account details, and personal information. Disclosed via Maine AG notification on March 11, 2026.

What Happened

On February 6, 2026, Starbucks discovered unauthorized access to employee accounts on Starbucks Partner Central; the company's internal HR platform used to manage employment details, benefits, payroll, and personal information.

A joint investigation with external cybersecurity experts determined that attackers had been inside the system since January 19, maintaining access until February 11; a 23-day window. Despite discovery on February 6, it took an additional five days to fully remove threat actor access. Starbucks has not explained the delay.

The attack vector was credential phishing: threat actors built and operated websites impersonating the Partner Central login portal, capturing employee credentials that were then used to access accounts directly. No malware or network intrusion was required; just stolen usernames and passwords used against a legitimate portal.

Starbucks notified law enforcement and began sending breach notification letters to affected employees on March 11, more than a month after discovery.

What Was Taken

Threat actors had full access to 889 Partner Central accounts, each containing:

• Full legal names
• Social Security numbers
• Dates of birth
• Financial account numbers and routing numbers (direct deposit/payroll data)
• Employment details and HR records
• Benefits information

This is a high-severity data class. SSNs combined with financial routing numbers creates a direct path to identity theft, tax fraud, and unauthorized ACH transfers. The 889 figure reflects confirmed compromised accounts; actual data exposure may be broader depending on what each account could access.

Why It Matters

This breach pattern (fake employee portal, credential harvesting, direct account access) is increasingly the preferred playbook against large enterprises. It's low-cost, scalable, and bypasses most perimeter security entirely.

Key strategic points:

• HR platforms are high-value targets. They concentrate the most sensitive employee PII in a single authenticated interface. Compromising one account yields SSN + bank routing in a single session.
• The 23-day dwell time is the real story. Attackers had nearly a month of access before Starbucks discovered anything; and then took five more days to evict them. That gap is where real damage happens.
• Phishing-as-initial-access is resurging against employee-facing SaaS portals. Workday, ADP, UKG, and similar platforms are prime targets. If your HR vendor portal has no MFA enforcement, this is your threat model.
• Payroll data = immediate financial crime. Unlike leaked emails or usernames, bank routing numbers enable same-week ACH fraud. Affected employees face real, near-term financial risk.

The Attack Technique

Phishing → Credential Theft → Direct Portal Access

1. Threat actors registered and operated websites designed to impersonate Starbucks Partner Central's login page
2. Employees entered credentials into the fake portal (delivery vector (email, SMS, or search ad poisoning) not disclosed)
3. Stolen credentials used to authenticate directly to the real Partner Central platform
4. Attackers browsed employee profiles, harvesting PII and financial data across 889 accounts
5. No lateral movement or malware deployment reported; the attack stayed entirely within the application layer

This is a pure credential-abuse attack. No zero-days, no network exploitation. The only technical requirement was a convincing phishing page and a portal without MFA.

What Organizations Should Do

1. Enforce MFA on all HR and payroll portals (no exceptions. Partner Central, Workday, ADP, UKG) if it holds SSNs or bank data, MFA is non-negotiable. Phished passwords are worthless against TOTP or passkeys.
2. Monitor for impossible travel and concurrent sessions on HR platforms. A login from an unfamiliar IP or device accessing payroll data should trigger an alert, not a silent success.
3. Register and monitor lookalike domains for your employee-facing portals. Attackers need a convincing phishing site. Tools like URLScan, PhishTank monitoring, and brand protection services catch these early.
4. Audit your breach notification timeline. Starbucks discovered the breach Feb 6, evicted attackers Feb 11, notified employees March 11. That 33-day gap from discovery to notification, while within legal limits in most states, gives attackers a long runway. Accelerate your internal escalation and notification playbooks.
5. Alert affected employees to watch for tax fraud, not just bank fraud. SSNs stolen in January are frequently used for fraudulent tax return filings before the actual victim files. Advise affected staff to place IRS identity protection PINs immediately.
6. Review phishing simulation coverage for HR portal impersonation scenarios. Most phishing training focuses on generic credential harvesting. Add HR-portal-specific lures to your simulation library.

Sources

• BleepingComputer; Starbucks discloses data breach affecting hundreds of employees