back to article Costa Coffee Club members wake up and smell the data breach

Costa Coffee is warning customers it may have suffered a security breach and, alongside resetting the passwords for all of its Coffee Club accounts, is going to implement a "new format" for users' passwords. The Costa Coffee Club is Costa's "little way of saying thanks", and it certainly is little, offering five pence for …

  1. Anonymous Coward
    Anonymous Coward

    I like Costa

    in the main. However, they appear to be going down the fashionable route of insisting you "contact them" via social media. What on earth is wrong with an old fashioned email ?

    The reason I recently wanted to contact them, was to express my utter disgust that all the staff at their Harborne branch seemed perfectly OK with s customer bringing her rat-on-a-string dog in. Or are they aiming for the *real* Parisian cafe culture ?

    1. Gordon 10 Silver badge
      FAIL

      Re: I like Costa

      What's wrong with a truly old fashioned letter of complaint to their CEO?

      I think you are being a bit optimistic in expected any electronic communication not sent to a specific address and a with a specific subject getting anything more than a rote response.

      Besides - report the branch to the council food hygiene peeps.

    2. Anonymous Coward
      Anonymous Coward

      Re: I like Costa (Email Contact addresses should be required)

      Have an upvote!

      It should be absolutely MANDATORY that there be a plainly visible contact email ADDRESS on every companies web page. NOT a web mail form but a plain address so that you can actually contact people and use more than 140 characters to do so.

      I for one will not ever use "social media" to communicate with anyone! Not going to get an account so I can, I will just stop using their product or service if they force me.

      Email is not "old fashioned", it is my opinion that "asocial" media is a fad for fatuous poseurs and limits free speech. Texting is not conducive to communication.

      Companies don't want you to be able to contact them easily and have a cogent discussion, they want you to jump through the hoops they deliberately put up to prevent the extra work of having real customer service.

      1. Anonymous Coward
        Anonymous Coward

        Re: I like Costa (Email Contact addresses should be required)

        It should be absolutely MANDATORY that there be a plainly visible contact email ADDRESS on every companies web page...you mean like germany? where practically every website has to have an "impressum" with information such as the address...even if it's just your personal blog...as soon as you express an opinion you fall under the journalistic umbrella and bang - you're legally required to give your address to world and dog (I know you said company but what about self-employed? and what if you have ads on your website? etc).

        1. Anonymous Coward
          Anonymous Coward

          Re: I like Costa (Email Contact addresses should be required)

          "It should be absolutely MANDATORY that there be a plainly visible contact email ADDRESS on every companies web page."

          Problem there is that spammers harvest published email addresses and sell them on to everybody. This renders your published address next to useless in short order; with the attendant time cost and the danger of missing out on a genuine -possibly critical- message because it's buried in crap. And obfuscation doesn't work (like putting the address as name (at) domain.com or publishing the address as a graphic) as spammers just hire someone cheap to dig up a list of contact addresses.

          The only way to stop this is to not publish the email while still making contact possible (and, importantly, easy for the customer); hence contact forms.

          So now you know.

          1. Anonymous Coward
            Anonymous Coward

            Re: I like Costa (Email Contact addresses should be required)

            "Problem there is that spammers harvest published email addresses and sell them on to everybody. This renders your published address next to useless in short order"

            I've had dealings with a number of companies that have had web-published customer service email addresses, and have responded quickly and effectively. Clearly they are managing to operate well despite the tsunami of spam, so I'm puzzled by those companies that aren't so competent.

            1. Anonymous Coward
              Anonymous Coward

              Re: I like Costa (Email Contact addresses should be required)

              I've had dealings with a number of companies that have had web-published customer service email addresses, and have responded quickly and effectively. Clearly they are managing to operate well despite the tsunami of spam, so I'm puzzled by those companies that aren't so competent.

              Well spam filters are better these days, and it also might be a question of scale...a company that can throw a couple of interns at it will fare better in this respect than your average one-man-band outfit. Likewise, a company that has a dedicated member of staff (or support department) to handle incomings will cope better than companies that work on a more ad-hoc basis. I've also been in places where a tsunami of spam would be welcomed by at least one staff member...an opportunity to look busy all day without having to engage a single neuron (and if anyone questions your productivity you can simply point to the 12,000 spam emails you dealt with last week).

              If you have a published email address (versus a web form) two things will happen:

              1) You will be spammed harder as time goes on

              2) You will have less people contacting you. Some people do not know how to cope with an email address and some people won't bother because it's extra effort.

              You can mitigate the spamming somewhat by obfuscation; or you can burn and replace your support email address at intervals (that is a bit risky though because you can alienate/ignore people trying to contact you on the old address).

              I'm not the world's greatest fan of webforms; but it really is the best option available at the moment. There is -for the user- that feeling of sending your message into the unknown: Some companies realise that and that is why you get the almost-instant "Yep we received it and you're in the queue to be dealt with" automated response from some places.

              Webforms are email essentially. It's a lightweight client to send in one direction to (usually) one address.

              Just remember to look for tickboxes so you don't sign yourself up to any mailing lists.

          2. Trigonoceps occipitalis

            Re: I like Costa (Email Contact addresses should be required)

            OK, but please let me have the option of a copy sent to my email. Then I know the web site has actually sent something somewhere (or not) and I have a copy of what I said.

            1. Anonymous Coward
              Anonymous Coward

              Re: I like Costa (Email Contact addresses should be required)

              @ Trigonoceps occipitalis:"OK, but please let me have the option of a copy sent to my email."

              I see your point, but this can be a risky thing for a company to do...you would then run the risk of

              1) Your webform being used as a spamming engine (if it's only relaying messages to your customer support address then it's fairly easy to lock down; but if you allow it to send to multiple addresses, some of which are user-defined it all becomes more tricky). Remember also that if your webform gets caught spamming, your whole domain will be locked down for at least a couple of hours until you can get yourself out of the blackhole. Possibly multiple domains, if they share the same IP address. During that lockdown, people attempting to contact you will not be able to send you email; and that can be expensive; possibly disastrous. At the very least, it doesn't look good.

              2) Badly set up forms (ie, where it is not explicitly stated in the body text that this message is from a webform at $site) could also be used to send convincing messages from a genuine live company address. Pretty sure there is some potential for havoc there.

              The standard response is to send a very basic "yep we got it" email out automatically. Your message is normally stripped out/not included due to data protection. It's not uncommon for people (especially to support and similar) to have personal details, identifying information, maybe passwords. There's no way in hell a company is going to risk sending that, sight unseen. That's also why support emails from a company generally don't copy the whole conversation (because -amongst other things- it would give an attacker multiple chances to get their hands on delicious personal information).

              As soon as a company sends an email, they become legally liable for the contents.

              So while your request seems simple -and technically it is- it's entering shark-infested waters, legally speaking. It's not that nobody has thought of it; but if you consider the public reaction to both spamming and data breaches (and your proposal has potential for misuse in both areas); can you really blame companies for not wanting to go there?

        2. Destroy All Monsters Silver badge
          Holmes

          Re: I like Costa (Email Contact addresses should be required)

          with information such as the address

          Criticism of various supremacist organizations, gypsy gangs and Döner Oligarchs (and other orgs I will not name lest I be called names) must be pretty rare in Germany.

      2. Anonymous Coward
        Anonymous Coward

        Re: I like Costa (Email Contact addresses should be required)

        P.S. Oh yeah - forgot: You also cannot count on people having an email client these days. A lot of people use webmail, so you'd have to copy the email address, log into your email service, paste the address in and then type your message. Not everyone can do that and -of those that can- a significant number won't bother.

        So web forms aren't ideal; but they're fast and easy and everyone can use them.

        P.P.S. Totally with you on the attempts to force contact though social media. Fine if it's an option; but if that's the only means of contact then there will be no contact from me either.

    3. breakfast

      Re: I like Costa

      If it had been a dalmation or wolfhound that would have been fine...

      1. Florida1920

        Re: I like Costa

        If it had been a dalmation or wolfhound that would have been fine...

        Corgi?

    4. Anonymous Coward
      Anonymous Coward

      Re: I like Costa

      "they appear to be going down the fashionable route of insisting you "contact them" via social media. What on earth is wrong with an old fashioned email ?"

      Because most of this is led by "marketing Executives" who fall into 2 catergories. Early 20's fresh out of uni/college where they did 'media studies' or late thirties/fourties who want to think their still hip. Both groups think that the latest fad is the greatest thing ever.

      Basically get if you could get the latest 'media' star pictured shoving a cactus up their arse, they'd all be doing it the next week and declaring it was the future of doing business

    5. Velv Silver badge
      Paris Hilton

      Re: I like Costa

      Like you, I don't get this "contact us by social media".

      If I had a company serving the public, would I really want my dirty laundry aired in the full view of social media?

      1. I_am_Chris

        Re: I like Costa

        " If I had a company serving the public,

        would I really want my dirty laundry aired

        in the full view of social media?"

        That's exactly why it is a great avenue for getting a response. They want to be seen as being responsive to customer issues. I've had good experience with a few companies via Twitter.

        Much better than an email sent to /dev/null

    6. Viv Fletcher

      Re: I like Costa

      What the hell's wrong with dogs? Yours may be unhygienic, mine certainly isn't.

  2. Anonymous Coward
    Anonymous Coward

    Not that bothered

    The worst that any miscreant would be able to do in my account is rape it for the points value of a coffee. Other than that, it's the usual drill of unique email, password, and a whole bunch of made-up personal details. Surely nobody is daft enough to provide genuine details if they aren't needed?

    1. Nigel Brown

      Re: Not that bothered

      Ask the 1.4 billion Facebook users, of whom probably 1.3 billion give accurate details.

    2. Elmer Phud

      Re: Not that bothered

      There are several born every minute.

      That's what those who dip in to servers rely on.

  3. Elmer Phud

    " "recently identified a small number of Coffee Card members (around 0.02 per cent) with some unusual activity on their accounts". "

    How is it that it's always a 'small number' that is affected?

    First they don't know what's going on - next they have minute details.

    1. werdsmith Silver badge

      "How is it that it's always a 'small number' that is affected?"

      0.02% with some unusual activity

      Because following a breach, the folks that stole the information either don't have time to mess about with every account, or they attempt to work quietly so as not to give the game away.

      So, they could have got all customer details, but have only touched a few accounts.

    2. eSeM

      "recently identified a small number of Coffee Card members (around 0.02 per cent) with some unusual activity on their accounts"

      How is it that everyone I know with a Costa card and web login got one of these emails to reset their passwords ....

  4. David Nash

    I have one of these cards and have managed to accumulate enough points for a free coffee or two, over the years. But I didn't bother registering online, especially after I noticed what they asked for.

    It works fine as a loyalty card without registering it.</smug mode>

  5. Dave 27

    To top it all, the process they describe to do password resets involves them sending you a new password in clear text email.

    "1. Close your existing app session

    2. Reopen the app and click 'forgotten password' to reset it

    3. Use the new password that is emailed to you to log back into the app

    "

    1. breakfast
      Facepalm

      Welp, sounds like they've got the security stuff sorted out now. Everything is going to be fine. No chance of future boo-boos from these security masterminds.

    2. Dave Bell

      That's pretty standard, and the password they send you is temporary. There are better ways, but how is your email set up? Whether it's a temporary password or a link, how secure is the customer's email?

      I'm a little more concerned about step 5, which you didn't quote:

      3. This will trigger a new temporary password

      4. Use this to log back into the page

      5. If you wish you can change this to something more memorable under the account menu

      It looks like there might be different versions of the email. The email I got is consistent with the temporary password being displayed to you via https. But I would still change it: the 5th instruction is a bit too vague.

      It does make sense to send it by email, since they ask you for the account's email address.

      Incidentally, the 5% return is pretty decent as these things go. A certain supermarket only returns 1%. So they're not so bad.

  6. Colin Miller

    Password format

    [Costa are going to] implement a "new format" for users' passwords.

    Am I cynical enough to read that as "storing it hashed and salted, rather than plain-text"?

    1. Tromos

      Re: Password format

      FTFY

      "storing it hashed and salted and with a sprinkle of chocolate on top..."

    2. This post has been deleted by its author

  7. paulf Silver badge
    Facepalm

    Do they really need a DoB?

    I understand (IANAL) that under the DPA a company should only request personal information directly relating to the reason it's being processed. If you're reporting a broken street light to the council they may want an email or phone number to let you know when it's been fixed, but they have no right to ask completely unrelated things like your DoB or NI number for example.

    In that case what the hell is a fucking coffee house asking people for their Date of Birth for?? If all redemption is via the App or in store then they'd struggle to justify the postal address!

    Oh right, yes, I should have realised. The App was designed by the Marketing droids who want their pound of flesh in exchange for the crumbs of "reward"...

    1. John Brown (no body) Silver badge

      Re: Do they really need a DoB?

      "In that case what the hell is a fucking coffee house asking people for their Date of Birth for??"

      Probably it's "required" so that you can claim a free coffee on your birthday. Meanwhile they collect "valuable" demographic information.

      1. paulf Silver badge
        Holmes

        Re: Do they really need a DoB?

        @ John Brown (no body)

        I agree, that's probably the reason given for asking for it (they may also say it's so they can use it to confirm the user's identity) but it would still, in my opinion (again, IANAL) be superfluous to the reason for processing the data.

        People who hand over this information blindly also need to take responsibility for the consequences of handing over their personal data to all and sundry, but that doesn't forgive the organisation for having non-existent security to protect those superfluous details.

        If we had a decent Data protection organisation they'd have stamped out this kind of unjustified data harvesting before it got out of the starting blocks. I'll not hold my breath because decent data protection would be "Anti-Business"...

  8. Anonymous Coward
    Anonymous Coward

    Or are they aiming for the *real* Parisian cafe culture ?

    That's when the dogshit is outside the door.

  9. g7rpo

    Give away all that info

    For 5% of what's being spent, marketers wet dream

  10. Anonymous Coward
    Anonymous Coward

    Contacting companies

    I completely get why email addresses aren't published, and webforms (even with CAPTCHA) are required,

    I don't have an issue with webforms, except when they redirect to /dev/null, as Remingtons does.

    I had a problem with a Remington product. Used their webform to ask for details of claiming under their warranty (was over a year old).

    (I did this, because I *like* email. I can send it when *I* want to, and get on with *my* life. Yes, there is a phone number for such things, but I tried twice and waited 10 minutes before giving up.)

    A month passes - nada. Mentioned this to a colleague who immediately suggested Twitter. One tweet got a response within 2 hours, asking for more details. I pointed out all the details were in the webform. They replied they never read them, so I had to resupply them.

    1. Anonymous Coward
      Anonymous Coward

      Re: Contacting companies

      "(Remington) ...replied they never read them, so I had to resupply them."

      Well there's a hint as to who shouldn't be on your list when next buying a new razor, then.

      1. Anonymous Coward
        Anonymous Coward

        Re: Contacting companies

        The thing is, most companies are shite at customer service, and end up behaving in a manner which is counter productive. Let's examine the anatomy of the most common reason for interaction with customer services to start with. A complaint.

        Immediately, you should know there are 2 types of customers Keepers and Losers. Losers are the sort who expect nothing to ever go wrong in the world ever. They're the ones who foam at the mouth, raise their voices, etc etc. Basically people you'd much rather went and wasted someone elses (ideally your competitors) time. Because you can never do enough to "make it up to them".

        The other type - and I include myself here - aren't idiots, and know (FFS I work in IT) that occasionally things go wrong (we're grown ups). It's at that point that "S" needs to swing into action, deal with the complaint without evasion, lying, or bad grace. These are Keepers who will appreciate good service.

        Because it's only when things go *wrong* you get to see customer service.

        There are plenty of companies who have messed up in various ways that I will continue using (Amazon for one, Premier Inn for another) because they have exhibited excellent customer service when I have had a problem. There are also plenty of companies I won't use again, after a simple complaint gets ignored, or trivialised or blamed on someone else.

    2. Anonymous Coward
      Anonymous Coward

      Re: Contacting companies

      Step forward Virgin Media ...

      in 2010, our office closed, and the staff transferred to homeworking. As IT manager I was tasked with arranging business broadband. Being a (domestic) VM customer who has never had any problems with them (and excellent BB !) I fancied giving them a shot. ANYBODY but BT (who I have never had a good experience with, in 20 years).

      Duly found their website, and filled in the webform - full contact details provided - got an acknowledgement and waited for a call. Which never came. So BT got the gig after all (and were predictably shit - the poor CS team had to admit I had correctly predicted every point where they would mess up).

      Fast forward 6 months, and my employer is reviewing telephony and WAN provision, so VM are invited in. I "accidentally" commented on poor response as a concern in a pitch. Bit of a flurry after the meeting. Very red faces when they saw the acknowledgement. Even more red faces when they admitted they could find no trace of that enquiry. (Or, as I pointed out to them any other enquiry). They tried to tell my I should have called the sales team instead, but couldn't explain why I shouldn't have used the webform.

      Interestingly enough, my MP has a webform contact, and has never failed to reply.

  11. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020