New York state officials have filed a lawsuit against the company behind the Dunkin' Donuts franchise for failing to notify customers of a 2015 security breach, among many other things.
Dunkin' Brands, the company, told ZDNet there's "absolutely no basis" for the lawsuit, and that they were "shocked and disappointed" by the New York Attorney General's Office decision to move forward with litigation.
At the center of the lawsuit is DD Perks, the company's online accounts. Dunkin' customers can register these accounts through the Dunkin' Donuts websites and mobile apps. They can be used to store rewards points on so-called "DD cards," which they can later use to obtain discounts at Dunkin' locations.
According to a lawsuit filed by the New York Attorney General's Office yesterday, Dunkin' had failed to act on several occasions in regards to investigating cyber-attacks aimed at these accounts and also failed to notify customers of account breaches.
The lawsuit [PDF] alleges the following:
- That in early 2015, attackers used brute-force attacks to guess usernames and passwords and access Dunkin' accounts.
- That Dunkin' started receiving reports of abuse from customers by May 2015
- That a third-party app developer also warned the company of the attacks during the summer of 2015 and even provided Dunkin' with a list of 19,715 accounts that had been compromised by attackers over just a five-day period.
- That Dunkin' failed to notify these customers, according to state data breach laws.
- That Dunkin' failed to reset passwords and freeze DD cards for the impacted accounts.
- That Dunkin' didn't investigate the attacks to determine if other accounts were also impacted.
- That Dunkin' failed to implement appropriate safeguards to prevent future attacks against its users.
- That in late 2018 a similar attack took place during which unknown hackers gained access to more than 300,000 accounts.
- That in a data breach notification the company sent out to customers in November 2018 it mislead users into believing that the attackers only "attempted" to log into accounts and that they were unsuccessful.
- That Dunkin' knew from its security vendor that hackers accessed accounts but lied [see image below].
ZDNet reported the 2018 attack in late November last year when Dunkin' sent out a data breach notification letter. At the time, the company told ZDNet that the incident was a credential stuffing attack during which hackers used usernames and passwords leaked from breaches at other companies to gain access to Dunkin' accounts.
In line with the New York state lawsuit, the breach notification letter described the attack as attempts to log into accounts, and that it "was successful in stopping most of these attempts," but not all.
Furthermore, the company suffered another credential stuffing attack in February 2019.
Dunkin' disputes the state's claims
But in an email to ZDNet, Dunkin' disputed all the claims made by New York state officials in their lawsuit.
"There is absolutely no basis for these claims by the New York Attorney General's Office," a Dunkin' spokesperson told ZDNet. "For more than two years, we have fully cooperated with the AG's investigation into this matter, and we are shocked and disappointed that they chose to move ahead with this lawsuit given the lack of merit to their case.
"The investigation centered on a credential stuffing incident that occurred in 2015, in which third parties unsuccessfully tried to access approximately 20,000 Dunkin' app accounts. The database in question did not contain any customer payment card information," it added.
"The incident was brought to our attention by our then-firewall vendor, and we immediately conducted a thorough investigation. This investigation showed that no customer's account was wrongfully accessed, and, therefore, there was no reason to notify our customers.
"We take the security of our customers' data seriously and have robust data protection safeguards in place," Dunkin' said. "We look forward to proving our case in court."