Letter to impacted current or former Starbucks partners

Equifax Credit Watch^TM Silver Monitoring Service information

Recently, we began a search for four retired (not in regular use) laptops which were missing from the Starbucks Corporate Support Center in Seattle. Two of these laptops contained the private information, including names and social security numbers, of nearly 60,000 United States partners (employees) and less than 80 Canadian partners and contractors at all levels employed across the organization prior to Dec.31, 2003.

We want to emphasize that, at this time, we have no indication that this private information has been misused or that these devices are in the hands of someone intending to misuse the information. These laptops may still be in the possession of Starbucks, however we cannot currently locate them. In accordance with Starbucks standards for information security, these laptops were password-protected.

Currently, we are making every reasonable effort to notify those partners whose information we believe to be on the missing laptops.

We encourage any partners with questions or concerns related to this incident and the steps we have taken to contact the Starbucks Information Security Helpline at 1-800-453-1048 between the hours of 8 a.m. and 8 p.m. PST.

As a result of this incident, we are reinforcing our policies and updating our procedures around the protection of personal data. We continue to educate our partners about items that will help them protect their personal information while making every effort to ensure that these situations do not occur.

Starbucks takes our commitment to safeguarding the personal information and security of our partners very seriously and we regret the inconvenience that this incident may cause. We offer those potentially affected persons to subscribe at no cost to credit protection services.  

1. When were the laptops first reported missing?
   In the normal course of business, Starbucks discovered that the out-of-use laptops were missing on Sept.6, 2006 and promptly began an internal investigation.

2. Did Starbucks lose the laptops or were they stolen?
   We do not currently have enough information to make that determination. As a precaution we have contacted the appropriate authorities and the investigation is ongoing. We have no indication that the private information potentially available on these laptops has been misused, nor have we confirmed they are the possession of persons with criminal intent. The laptops may still be in the possession Starbucks, however we can not currently locate them.

3. What information is contained on the laptops?
   The missing laptops contain private information, including the names and social security numbers, of approximately 60,000 current and former U.S.-based partners (employees) or contractors, and the names and social insurance numbers of 79 current and former Canadian partners, who worked for Starbucks prior to Dec.31, 2003.

4. What steps have been taken to recover the laptops?
   As part of its internal investigation, Starbucks has communicated with all concerned parties and agencies that need to know.

5. How far back in time would potentially affected employees have worked for Starbucks?
   The private information could belong to partners (employees) who worked for the company any time prior to Dec.31, 2003.

6. Has Starbucks contacted the police and relevant regulatory agencies or authorities? Is there a criminal investigation underway?
   Starbucks has contacted the police and are cooperating with them. Starbucks is continuing an internal investigation in an effort to determine exactly how this incident occurred and to address the breach of our information security policy. We have no reason at this time to think that the information on these laptops has been or will be misused.

7. What steps has Starbucks taken to notify the potentially affected employees and to help them find the resources they need?
   Starbucks is sending letters to all potentially affected United States partners notifying them of the missing information. Canadian partners will be personally notified. We have also established a toll-free number from which partners can receive the latest news about this situation and assistance for protecting their identities.

8. Is Starbucks providing credit checks and credit counseling free of charge to potentially affected people?
   Starbucks is providing credit protection services to all affected United States partners at no charge.

9. How does Starbucks store sensitive partner information?
   Over the last three years, we have employed extensive efforts to ensure that the highest level of protection is in place for both our partner and consumer data. Sensitive Starbucks partner data is stored in a Starbucks secured data center within our Human Resources database.
   
   In April 2005, an extensive set of Information Security Policies and Standards were put into place to ensure that our technical, physical and human practices provide for the proper protection of our critical private or secret data which include partner, consumer, and business data. The policies and standards are continuously reviewed and updated at least twice a year.

10. Who can access partners’ personal information?
    Access to this data is strictly controlled to a small, authorized group of partners (employees).
    
    Access is reviewed on a regular basis to ensure that only authorized individuals with appropriate responsibilities can access any of this information. Based on the type of review, some are performed daily, weekly, monthly or quarterly. Annually, these controls are also reviewed by external audit.
    
    Additionally, even those partners who can access this information are restricted to information that is relevant to their job.

11. Given how commonly they are misplaced, why was sensitive information stored on a laptop in the first place?
    The laptops in question were considered "retired," thus not in everyday use. We are in a continuous review of our Information Security practices and are in the process of altering the manner in which we handle retired equipment. We are in the midst of changing our processes so that all spare or retired equipment will be returned to the owning department with no data remaining on the equipment.
    
    Placing any of this critical data, including Social Security Number on mobile equipment such as laptops is a violation of our policy. Regretfully, the data lost was placed on the missing laptops prior to the implementation of these policies and standards and it was unknown that this data existed on the laptop. It was only after extensive analysis of back-up data that we learned that the files existed.

# # #