Security Expert Sides With Starbucks, Thinks Hack Is Unlikely
Security expert Kevin Baranowski does not think that consumers have to worry about the Starbucks (NASDAQ: SBUX) app vulnerability.
"I think there's a risk that everybody needs to be concerned about," Baranowski, the Director of Business Development at Align Communications, told Benzinga. "People should know that the risk exists. But I don't think that's something that's so critical where someone is going to have [to worry about it]."
It was revealed earlier this week that hackers could access the personal data of Starbucks app users by stealing the phone, plugging it into a computer and accessing a file. The personal data includes (but may not be limited to) the user's full name, password, home address and e-mail address.
A Starbucks spokeswoman responded to the issue by telling CNNMoney that the possibility of the vulnerability being exploited is "very far-fetched."
"I would side with where Starbucks is coming from," Baranowski told Benzinga. "It is a risk -- but that risk is far-fetched."
Baranowski said that the Starbucks environment (its infrastructure for security, etc.) is critical. He is not currently up to speed on what Starbucks has going on in the back end. He is basing his opinion solely on the exploit details that were revealed by security researcher Daniel Wood.
"[But] at the surface, I think that the amount of stars that have to align in order for that to be a general concern that everybody should have -- there's a lot of things that have to fall into perfect discourse," said Baranowski.
He added that he is also a Starbucks customer and Starbucks app user.
Hackers Like A Good Target
When the breach went public, Target believed that as many as 40 million customers could be impacted. The company now thinks that 70 million people might have been affected.
"If you take a look at Target and what happened with those guys, there was a vulnerability that was there for a while," said Baranowski. "Whether they were doing proper testing on it or whether they were doing it at the level they needed to do it at, we don't know. Obviously there were some spots that they weren't testing because that's how some people were able to go in and get compromised information."
Baranowski said that it was "hard to say" if Target knew about the breach sooner than it claimed.
"Business is run by people," he said. "Whether they're doing it in a proper fashion, whether there are ulterior motives, we don't know. I can't speak to what Target says or does.
"However, the levels where people first identify critical issues is definitely not at the executive level. If you've got IT technical personnel and security experts, these are things that they should identify. They should know where there's a gap. If there are areas of vulnerability that are escalated up the chain, what that upper level does with it is supposed to be saying, 'Where's the business analysis? Where's the risk for us? Where's the risk for consumers?' etc."
Baranowski believes that if the breach started with millions of customers (as it appears), Target likely came forward as soon as it found out about the problem. But if a retailer were to experience a smaller security breach -- 100 people, for example -- a company (Target included) may only notify those who were specifically affected.
"It really depends on what their level of understanding of that gap was initially," Baranowski added. "Hopefully they didn't know it was going to be massive and just didn't say anything because of the retail aspect of it. But that's up for Target to understand. That's up to Target to identify."
Baranowski also said that retailers and other businesses may compare the cost of fixing an issue to the cost of staying silent.
"Sometimes, unfortunately, that's where business decisions are driven from -- 'What's my cost to correct and what's my cost to handle the issue if it comes out?'" he said.
Disclosure: At the time of this writing, Louis Bedigian had no position in the equities mentioned in this report.
© 2015 Benzinga.com. Benzinga does not provide investment advice. All rights reserved.