top of page

Starbucks Singapore Data Breach: What Happened & What Can We Learn from This?

Updated: Apr 22, 2023

Starbucks Singapore, one of the most popular coffee chains in the country, recently suffered a data breach that exposed customers' personal information, including their names, email addresses, and mobile numbers. The incident was reported to the Personal Data Protection Commission (PDPC) and the police, and Starbucks has since notified affected customers and taken steps to enhance its cybersecurity measures.

In this blog post, we will dive into the details of the Starbucks Singapore data breach, including which obligation was breached, the potential penalty, and what we can learn from this incident.

What Happened?

On 10 March 2022, Starbucks Singapore discovered that its database had been illegally accessed, and personal information of customers who had registered for its loyalty program had been obtained. The stolen information included names, email addresses, and mobile numbers, but not passwords or credit card information.

Starbucks Singapore immediately launched an investigation and reported the incident to the PDPC and the police. It also engaged a cybersecurity firm to conduct a thorough review of its systems and processes and implement additional measures to enhance its cybersecurity posture.

Which Obligation Was Breached?

The Starbucks Singapore data breach appears to have breached the Personal Data Protection Act (PDPA), which is Singapore's main data protection law. Specifically, Starbucks Singapore failed to protect customers' personal information and prevent unauthorized access to its database, which are obligations under the PDPA.

Under the PDPA, organizations are required to make reasonable security arrangements to protect personal data in their possession or under their control. Failure to do so can result in penalties, including fines of up to S$1 million or 10% of an organization's annual turnover, whichever is higher.

What Can We Learn from This?

The Starbucks Singapore data breach serves as a reminder that no organization is immune to cyber attacks, and that data breaches can have serious consequences for both the organization and its customers. In the case of Starbucks Singapore, the breach not only exposed customers' personal information but also undermined their trust in the brand.

To prevent similar incidents from happening, organizations need to take proactive steps to enhance their cybersecurity posture. This includes implementing robust security measures, such as firewalls and intrusion detection systems, regularly reviewing and updating their security policies and procedures, and conducting regular cybersecurity training for employees.

Moreover, organizations must be transparent and accountable when it comes to data protection. This includes promptly notifying affected customers and relevant authorities in the event of a data breach, and taking steps to prevent similar incidents from happening in the future.


The Starbucks Singapore data breach highlights the importance of data protection and cybersecurity, and the potential consequences of failing to meet obligations under data protection laws. By taking proactive steps to enhance their cybersecurity posture and being transparent and accountable in the event of a data breach, organizations can better protect their customers' personal information and maintain their trust in the brand.



Disclaimer: The information provided on all our blog post is intended for general informational purposes only and does not constitute legal advice. The author and publisher are not liable for any damages or losses resulting from reliance on this information. It is recommended to consult with a legal professional for specific advice regarding PDPA compliance and other related data privacy obligations.

bottom of page