Back in 2015, the ever-popular stop for coffee and pastries, Dunkin’ Donuts, experienced a massive data breach. While data breaches seem to be multiplying over the years in scope and damage, back then this was still relatively new. The company came under attack by a third-party threat actor who was able to access almost 20,000 accounts of customers involved in the “DD Perks” rewards program. While security breaches are usually reported in a timely fashion, Dunkin’ Donuts did not report the breach to their customers until 2018 as evidenced by this document.
It is for this reason that Dunkin’ Donuts is now being sued by the New York State for violating breach disclosure laws. In the formal legal filing, the Office of the Attorney General states the following:
Despite having promised customers that it would protect their personal information and company policies that required a thorough and deliberate investigation, Dunkin’ failed to conduct an appropriate investigation into, and analysis of, the attacks to determine which customer accounts had been compromised, what customer information had been acquired, and whether customer funds had been stolen...
Worse still, Dunkin’ failed to take any action to protect many of the customers whose accounts it knew had been compromised. Among other failures, Dunkin’ did not notify its customers of the breach, reset their account passwords to prevent further unauthorized access, or freeze the stored value cards registered with their accounts.
Dunkin’ Donuts publicly disputes this, however, and claims that the lawsuit is without merit. In an interview with Kaspersky Lab’s Threatpost, specifically with reporter Tom Spring, the company’s chief communications officer Karen Raskopf stated the following:
The investigation centered on a credential stuffing incident that occurred in 2015, in which third parties unsuccessfully tried to access approximately 20,000 Dunkin’ app accounts... The database in question did not contain any customer payment card information. The incident was brought to our attention by our then-firewall vendor, and we immediately conducted a thorough investigation. This investigation showed that no customer’s account was wrongfully accessed, and, therefore, there was no reason to notify our customers.
Obviously, Dunkin’ Donuts and New York State disagree on the facts here — although there is no dispute that a data breach occurred. Any pertinent information with regards to the case and its developments will be reported here.
Featured image:Flickr/ Mike Mozart