Dunkin’ Donuts is being sued for violating New York state data breach notification laws. The lawsuit alleges that Dunkin’ parent company, Dunkin’ Brands, failed to disclose a breach in 2015 that affected nearly 20,000 customers who were part of the company’s DD Perks loyalty program.
New York Attorney General Letitia James filed the lawsuit Thursday accusing the donut maker of engaging in “past and ongoing fraudulent, deceptive, and unlawful practices.”
Dunkin’ Brands said the lawsuit lacks merit. In a statement to Threatpost on Friday, Karen Raskopf, chief communications officer for Dunkin’ Brands said:
“There is absolutely no basis for these claims by the New York Attorney General’s Office. For more than two years, we have fully cooperated with the AG’s investigation into this matter, and we are shocked and disappointed that they chose to move ahead with this lawsuit given the lack of merit to their case.”
The lawsuit stems from the 2015 hacking incident when attackers targeted online DD Perks accounts of Dunkin’ Donut customers via credential-stuffing attacks, according the lawsuit. Credential stuffing is a technique used by an adversary that automates using stolen username and password combinations to break into additional accounts that may share the same credentials.
According to the lawsuit, Dunkin Brands didn’t notify customers of the 2015 attack until Oct. 31, 2018. That’s when it notified DD Perks customers that their full names, email address (username), 16-digit DD Perks account number and DD Perks QR code may have been accessed in the attack.
“We immediately launched an internal investigation and have been working with our security vendor to remediate this event and to help prevent this kind of event from occurring in the future,” said Dunkin’ Brands in a 2018 statement regarding the 2015 incident (PDF).
According to the New York AG, Dunkin Brand had received copious customer complaints, starting in May 2015, alleging their accounts were hacked. That’s nearly three years before Dunkin’ Brands publicly acknowledged the attack. The complaint also alleges that a third-party app developer (CorFire), working on Dunkin’ Brand’s behalf, had warned the company in June 2015 that 19,715 accounts had been compromised over a five-day period.
The lawsuit claims that Dunkin’ Brands, in 2015, failed to notify customers in accordance with the state’s data breach notification laws. It also said the company failed to reset passwords and freeze accounts of those impacted by the attack. In addition, it failed to adequately protect accounts from similar attacks in the future.
In February 2019, Dunkin’ Brands once again fell victim of a credential-stuffing incident. In that incident 300,000 were notified within 30 days of the attack.
The state’s data breach notification law “requires that businesses disclose a breach of security to all New York State residents whose private information was, or is reasonably believed to have been, acquired without valid authorization,” according to the Attorney General.
In Dunkin’ Brands’ statement to Threatpost, Raskopf paints a different picture of what happened in 2015.
“The investigation centered on a credential stuffing incident that occurred in 2015, in which third parties unsuccessfully tried to access approximately 20,000 Dunkin’ app accounts,” Raskopf said. “The database in question did not contain any customer payment card information. The incident was brought to our attention by our then-firewall vendor, and we immediately conducted a thorough investigation. This investigation showed that no customer’s account was wrongfully accessed, and, therefore, there was no reason to notify our customers.”
Why target reward programs? There’s a growing underground market for loyalty program data. Hackers can sell the account’s credentials, or offer direct access to the accounts to people that go on to use the stored value, coupons, points and so on contained in them for themselves.
What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.