Dunkin Donut’s Customer’s Get a Data Breach Along With Their Morning Coffee

Would you care for some cream with your data breach?

Between 2015 and 2018 over 300,000 morning-goers got more than they bargained for while frequenting Dunkin Donuts locations. Approximately 36,000 of those customers were from New York, and NY Attorney General Letitia James has been unsettled (to say the least) about how Dunkin’ handled the situation.

So unsettled, that Letitia James’ office has filed a lawsuit against the company.

Hackers attempted to gain access to Dunkin Donut’s customers through software automated to guess ID and passwords and once collected, online and mobile app accounts were compromised and “tens of thousands” of dollars (in customer rewards) were stolen from their accounts.

That’s a lot of coffee.

The lawsuit denounces the donut giant for “mishandling” the cyberattacks and violating New York’s data breach notification laws by “repeatedly failing to take adequate action to safeguard consumers, or to inform them about the true extent of the attacks.”

During the 2015 attack Dunkin’ neglected to tell its affected customers, even after the company had been notified by it’s app developer CorFire half-way through the year. According to the suit customer’s accounts were not frozen, passwords were not re-set, and its own protocol or “Computer and Data Security Incident Response Plan” seemed to be overlooked. (We have these protocols for a reason!)

Overlooked, until a breach happened again in 2018.

This new breach affected over 300,000 coffee consumers, too many to sweep under the rug as it had done several years prior, this at least warranted a notification. An alert went out to notify them that a 3rd party had attempted to gain access to their accounts but had failed. The lawsuit’s accusation is that the company’s “representation to consumers that it used reasonable safeguards to protect consumers’ personal information, and the company’s statements concerning the 2018 breach, were false and misleading and violated New York’s consumer protection laws.”

Dunkin’ states the lawsuit is incorrect and there was not adequate evidence that customer’s accounts had been “wrongly accessed” during the 2015 event.

NY Attorney General Letitia James has participated in several cybersecurity and data protection lawsuits in the past, including the recent Equifax data breach resulting in a large multi-state settlement to be distributed between impacted victims.

This may warrant more than an apology and a free donut.

If you need assistance with your cybersecurity needs contact DarkHound SecOps at [email protected].

Sources:

https://www.securityinfowatch.com/cybersecurity/information-security/news/21107874/dunkin-donuts-sued-by-ny-ag-over-its-handling-of-data-breach

https://www.engadget.com/2019/09/27/ny-attorney-general-sues-dunkin-cyberattacks/?guccounter=1

Image Source: https://www.pexels.com/photo/photo-of-dunkin-donuts-neon-signage-2532680/