Why Google and Starbucks Still Have a Lot to Learn about Information Security

In Common ByAngus Batey / 27th July 2014

While two data points are just a coincidence, three could well be a trend: so I’ll be watching the news in coming days for a third household-name company playing fast and loosewith its customers’ personal information. In the past few days, both Google and Starbucks have been found to be pursuing policies regarding data breaches which, to this untrained and admittedly cynical eye, leave both companies wanting in the information-security department.

In both cases, the companies have been notified of a vulnerability that could lead to loss of customer data; both have claimed the security hole would require a complicated and unlikely attack to result in a compromise; and both have failed to patch the vulnerability for reasons that appear to suggest they place a surprisingly low value on the security of their customers’ private data.

Starbucks were contacted by security researcher Daniel E Wood in December, who had discovered that the coffee chain was storing account details – including user IDs, email addresses, geolocation information and passwords – in unencrypted clear text on customers’ mobile devices running Apple’s iOS. The exploit would allow an attacker to also access any money the customer may have had in a Starbucks account. Wood published his research on January 13, by which stage the company had not responded.

The story was picked up by technology reporters, and suddenly, Starbucks were talking – but what they were saying wasn’t particularly edifying. The chances of the vulnerability being exploited were “very far fetched,” a spokesperson told CNN. Alongside the usual guff about how important their customers’ security was to the company, and a fix being worked on by a highly trained team of munchkins deep in the Starbuckian coffee mines right at that very moment, an apology might have been the last the app’s 10 million users could have expected. But that appears to have been no more forthcoming than an acknowledgement from the company that it had effectively chosen, when developing the software, to prize ease of use over data security.

An open letter from the company’s CIO appeared on their website on January 16, which stresses the unlikelihood of compromise, highlights the company’s efforts to improve security on the app (a fix was released later that day – which begs the question of if it was that easy to resolve, why did they wait until the story had gone viral before designing and implementing it?), and says that, as of that writing, the company had not been made aware by any customer that their data had been fraudulently accessed. The implication being that because nothing bad happened, Starbucks were justified in taking the risk in the first place. Again, conspicuous by its absence in the four-paragraph statement was any kind of an apology from the company to its millions of app-using customers that their personal data had been needlessly put at risk in the first place, never mind for weeks after Starbucks had been advised of the issue.

Starbucks really have no excuse to be exposing their worldwide customer base to this kind of risk, however unlikely someone in their PR department thinks it is that an attacker might wish to exploit it. But Google, as arguably the biggest information-technology company on the face of the planet, has even fewer legs to stand on. Tal Ater, a software developer who has designed a javascript-based tool that allows users of some browsers to control websites using voice commands, noticed that Google had left a potential hole in their Chrome browser which could allow malicious actors to switch on a Chrome user’s computer microphone covertly, and monitor an audio feed of whatever was happening within range of the mic.

This was maybe not the biggest of deals to the average home or mobile user – who perhaps might reasonably suppose that anyone wishing to listen in on them as they took a train ride, did the laundry or shut their phone in a locker while they went to the gym for an hour could knock themselves out on such riveting listening material. But anyone using Chrome in an office where business of any degree of sensitivity or commercial confidentiality is conducted would be given pause for thought: all those conversations about product development, marketing strategies and customer relationships could provide a goldmine for a rival, or reveal compromising details of technology and strategy that a potential customer could leverage to get a better deal.

You’d have expected Google to rush to fix the problem. Instead, though, like Starbucks, their response was to, if not shoot the messenger, then to seek, though its statements to the media, to undermine the credibility of his message. It had all started off so much more successfully, too: as he explained in his blog that detailed the vulnerability, Ater had reported the problem to Google, whose engineers had built fixes within days. And yet, four months on, the repaired software had yet to be released. When he asked why, Ater was told that Chrome’s speech-recognition software was compliant with existing standards: the problem wasn’t the software supplier’s, it was the standards authorities’. And when The Register picked up on Ater’s blog post, its reporter was told by Google that the browser was working as intended. The search giant gave the by-now over-familiar-bordering-on-worthless copperplate about the importance of their users’ security, and refused to explain when, or even if, the repaired software will ever be released.

In an era where trust in governmental intelligence agencies appears to be at an all-time low, because they’ve been storing information about us we consider to be private and doing so without our consent, we’ve come to rely on internet-based businesses to fight our corner in the battle for privacy and data-security online. Yet here are two of the biggest companies in the world, each stressing that the security of user data is among their highest priorities, both struggling with the concept that when something they’ve produced exposes their users to risk, it is not only their job to fix the problem, but that if they wish to retain their users’ trust – and therefore those users’ business – they need not only to take these problems seriously, but to be seen to be taking them seriously.

Resorting to the default setting of all corporations in moments of public crisis – sending the PR team out to provide the media-management equivalent of a police officer standing on a street corner with a megaphone shouting “nothing to see here, please move along” – is not going to have that effect. If we are to accurately parse the responses made to these vulnerability reports by Google and Starbucks, we can only conclude both companies are banking on the vast majority of users not caring enough about the security of their data to let these stories have any noticeable affect on their spending habits. The coverage has been relatively obscure, and confined to the technical press: most users probably aren’t aware their data ever have been open to abuse. So if that is what they believe, both Starbucks and Google may well be right: but, just as the fact that an exploit is unlikely doesn’t mean it won’t ever happen, just because they can get away with it means that they should.