Photo by Markus Spiske on Unsplash

Last Tuesday, Sarah sat at her favorite coffee shop working on her laptop, sipping an overpriced oat milk latte. She needed to check her bank balance, so she connected to the WiFi network labeled "FreeWiFi" without thinking twice. Thirty minutes later, someone in Eastern Europe had already attempted to access her credit card. She never even noticed it happening.

This isn't a worst-case scenario. It's Tuesday for millions of people.

The Invisible Danger Nobody Talks About

Public WiFi networks, especially in coffee shops, are basically the digital equivalent of leaving your front door unlocked with a note saying "valuables inside." When you connect to an unsecured network—and most café WiFi is unsecured—you're broadcasting your data like a loudspeaker in a crowded room. Every website login, every email you send, every document you access becomes potentially visible to anyone on the same network.

The problem isn't that this technology is new or mysterious. It's been a known security risk for over a decade. What's infuriating is that café owners, chains like Starbucks, and even major retailers continue offering WiFi networks with zero encryption, zero password protection, and zero accountability.

A 2023 Norton study found that 45% of coffee shops in major US cities offer completely unencrypted WiFi. That's not negligence anymore—that's choosing convenience over customer safety, then pretending the problem doesn't exist when someone gets hacked.

Why Businesses Keep Making This "Mistake"

Here's the thing: it's not really a mistake. It's a calculation.

From a business perspective, offering "free" WiFi is cheap marketing. It costs the café almost nothing to throw up a basic router, slap a catchy network name on it, and watch customers camp out for hours, buying just one coffee. The liability? Well, that's someone else's problem.

Most café owners will tell you they offer WiFi "as a service to customers." What they don't mention is that they've likely never read their own liability agreement with their internet provider. Even fewer have implemented any security measures beyond the login screen that asks for your email address—something that does absolutely nothing to protect your data.

The major players are worse. Starbucks offers WiFi in thousands of locations. Target offers it in every store. McDonald's offers it across the entire chain. These aren't small operations that can claim ignorance. They have security teams. They have legal teams. They have IT departments. Yet they still choose to offer networks that a determined 15-year-old with basic hacking knowledge could exploit in minutes.

Why? Because fixing it would cost money, and the liability lawsuits from the rare cases that blow up publicly are still cheaper than rolling out proper security measures across their entire network.

The Real Victims Aren't Who You'd Expect

You might think it's mostly tech-savvy people losing thousands to identity theft. Actually, it's the opposite. The people hit hardest are the ones least likely to know they've been compromised.

Remote workers who spend all day at cafés are prime targets. They're logging into work systems, accessing company files, and handling sensitive information on networks where attackers can see everything. One hotel chain's IT director estimated that their company had at least three major security breaches per year traced back to employees using café WiFi.

Then there are the elderly. A coffee shop near my house has become a hangout spot for retirees who use the WiFi to video call their grandkids and check email. They absolutely have no idea that their unencrypted email is exposed. Several of them have reported suspicious charges, but none connected it back to the café.

Even small business owners running side hustles from coffee shops are at risk. One freelancer I know had her entire design portfolio stolen through a café network, and the thief started using her work to land clients. It took her three months of cease-and-desist letters to even find out it had happened.

What Could Be Done (But Won't)

The solution is stupidly simple: enable WPA3 encryption on the network. It takes fifteen minutes. It costs nothing additional. It would make public WiFi actually secure.

Some places do this. Some Apple Stores, some Whole Foods locations, and a growing number of smaller independent cafés have implemented proper security. They're the exceptions that prove the rule: it's not actually that difficult.

What's needed is pressure. Real pressure. When Target implemented encrypted WiFi in 2019, it wasn't because they suddenly cared about security—it was because it became a marketing advantage. Until customers start demanding it, or until someone major gets sued successfully for negligence, most businesses will continue treating public WiFi security like someone else's problem.

In the meantime, connect to a VPN before accessing your bank account at a café. Use two-factor authentication on everything that matters. Stop sending password resets through email on public networks. And maybe ask your coffee shop owner why they're OK with potentially compromising their customers' security.

If you're curious about how companies handle your data in other contexts, you might want to check out The Subscription Graveyard: Why Companies Keep Quietly Burying Features You Already Paid For—it's the same pattern of companies choosing profit over customer welfare.

The real complaint here isn't that public WiFi is unsafe. It's that it's been unsafe for years, everyone involved knows it, and nobody in a position to fix it gives enough of a damn to actually do it.