Dunkin’ Faces Fine Over Cybersecurity

Dunkin’ Donuts glazed over their problems with customer information being hacked. According to Letitia James, New York Attorney General:For years, Dunkin’ hid the truth and failed to protect the security of its customers, who were left paying the bill. It’s time to make amends and finally fill the holes in Dunkin’s’ cybersecurity. Not only will customers be reimbursed for lost funds, but we are ensuring the company’s dangerous brew of lax security and negligence comes to an end.”  One way they are ensuring that Dunkin’ takes care of their cybersecurity issue is by charging Dunkin’ with a $650,000 fine.   

James said that Dunkin’ will be righting their wrong with their customers. Dunkin’ will notify customers affected by the attacks between the years 2015 and 2018, reset their passwords, and provide refunds for unauthorized use of their Dunkin’ branded stored value cards. 

In all, Dunkin’ agreed to the following terms:

  • “Defendant shall not misrepresent its data security practices.”
  • “Defendant shall maintain a comprehensive information security program designed to protect Customer Personal Information that includes, at a minimum, reasonable technological, administrative, and physical safeguards.”
  • “The Security Program must include reasonable measures to protect Customer Accounts against brute force and credential stuffing attacks.”
  • “In the event that Defendant has a reasonable suspicion that there has been a Data Security Event, Defendant shall promptly conduct a reasonable investigation aimed at determining whether the Data Security Event is ongoing, the cause and scope of the Data Security Event, the Customer Accounts that may have been affected, and the categories of Customer Personal Information that may have been accessed and/or acquired.”

This all started back in 2015 when hackers stole usernames and passwords to perpetrate automated “brute force” and credential stuffing” attacks. Tens of thousands of dollars were stolen from accounts made on Dunkin’s website or free mobile app.   

“In 2015, Dunkin’s customer accounts were targeted in a series of online attacks. During this period, attackers made millions of automated attempts to access customer accounts. Tens of thousands of customer accounts were compromised. Tens of thousands of dollars on customers’ stored value cards were stolen.”

“Despite having promised customers that it would protect their personal information and company policies that required a thorough and deliberate investigation, Dunkin’ failed to conduct an appropriate investigation into, and analysis of, the attacks to determine which customer accounts had been compromised, what customer information had been acquired, and whether customer funds had been stolen.”

Nothing was done when it was brought to the attention of Dunkin that 19,715 customers were targeted over a five-day period.  Also, Dunkin’ did not take the necessary safety precautions to prevent future attacks.  Because Dunkin’ kept its customers in the dark, even though they were warned by their app developer, they were at the brink of a billion-dollar fine.

Dunkin’ will be paying back customers the money lost on their Dunk Brand Store Cards because of illegal transactions.  These customer’s funds should be refunded by the end of November 2020.

A statement made by Dunkin’ said that the cyberattacks affected less than 1% of their Perks Loyalty members and that hackers didn’t have access to credit card information.