Time to make the donuts, indeed.
Dunkin’ Donuts Inc. is being sued for cyberattacks that resulted in the theft of tens of thousands of dollars.
By: Lucy Alcindor
According to reports, hackers accessed money stored on Dunkin value cards of nearly 20,000 customers who created accounts through Dunkin’s website and mobile apps four years ago.
The parent company of the chain is being sued by the New York Attorney General for failing to notify customers of the attacks.
New York Attorney General Letitia James said the company failed to notify nearly 20,000 customers that their accounts had been compromised, even though their information and personal funds were in jeopardy. Dunkin’ also failed to conduct an investigation into a series of attacks that would have helped it determine which other accounts had been compromised, what customer information had been acquired, and whether customer funds had been stolen.
“Dunkin’ failed to protect the security of its customers,” said James. “And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin’ sat idly by, putting customers at risk. My office is committed to protecting consumer data and holding businesses accountable for implementing safe security practices.”
The lawsuit involves accounts of the company’s customers created through the Dunkin’ website or free mobile app for Android and iOS devices, according to a release. These accounts enable customers to manage “DD cards” — stored value cards that customers can use to make purchases at both Dunkin’ stores and online. To encourage customers to create accounts, Dunkin’ represented that the company was using reasonable safeguards to protect customers’ personal information from loss, misuse, and unauthorized access and disclosure.
“Beginning in early 2015, customer accounts were targeted in a series of “brute force attacks,” which are repeated, automated attempts to gain access to accounts, often using usernames and passwords stolen through security breaches of other unrelated websites or online services. An attacker that gained access to a customer’s Dunkin’ account could not only use DD cards registered to the account to make purchases, but could also sell the DD cards online. In a matter of months, tens of thousands of customer accounts were compromised through these attacks, and tens of thousands of dollars on customers’ DD cards were stolen,” the attorney general’s office said.
By May 2015, Dunkin’ personnel were receiving customer reports that attackers were gaining access to their accounts. Additionally, over a period of several months during the summer of 2015, a third-party app developer for Dunkin’ repeatedly alerted the company to attackers’ ongoing attempts to log in to customer accounts, and even provided Dunkin’ with a list of 19,715 accounts that had been compromised by attackers over just a five-day period.
“Yet, Dunkin’ failed to take any steps to protect these nearly 20,000 customers — or the potentially thousands more they did not know about — by notifying them of unauthorized access, resetting their account passwords to prevent further unauthorized access, or freezing their DD cards. Dunkin’ also failed to conduct any investigation into or analysis of the attacks to determine how many more customer accounts had been compromised, what customer information had been acquired, and whether customer funds had been stolen,” the release added.
