Was intrigued by the small Reuters story about Starbucks and Shake Shack being asked to rectify the over-collection of customers' personal information. Does anyone know how this was identified? Is it usually back-door inspection of locally-hosted servers?