New York Attorney General Letitia James filed a lawsuit against Dunkin’ Donuts in the Supreme Court of the State of New York on Thursday, September 26, 2019. The complaint alleges fraudulent, deceptive and illegal conduct, and focuses on Dunkin’ Donuts breaches in 2015 and 2018. It claims an alleged failure to respond to these breaches in violation of state laws.
“Dunkin’ failed to protect the security of its customers,” said Attorney General Letitia James in a statement. “And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin’ sat idly by, putting customers at risk.”
The first breach occurred in early 2015. “In 2015” says the court document (PDF), “Dunkin’s customer accounts were targeted in a series of online attacks. During this period, attackers made millions of automated attempts to access customer accounts. Tens of thousands of customer accounts were compromised. Tens of thousands of dollars on customers’ stored value cards were stolen.”
The stored value cards are known as DD cards and will generally have a monetary value.
The attacks were almost certainly credential stuffing attacks using credentials stolen from other websites and used without change by Dunkin’s customers. For several months in the summer of 2015, Dunkin’s app developer made several attempts to alert the company to the ongoing problem. “The vendor even provided Dunkin’ with a list of 19,715 customer accounts that had been accessed by attackers over just a sample five-day period,” says the complaint.
In a statement to the press, Dunkin’ Donuts refuted the claims. “There is absolutely no basis for these claims by the New York Attorney General’s Office,” wrote a Dunkin’ spokesperson. “For more than two years, we have fully cooperated with the AG’s investigation into this matter, and we are shocked and disappointed that they chose to move ahead with this lawsuit given the lack of merit to their case.” It claims that attempts to access approximately 20,000 Dunkin’ app accounts were unsuccessful, and adds that its own investigation “showed that no customer’s account was wrongfully accessed, and, therefore, there was no reason to notify our customers.”
This is in sharp contrast to the claims made by the state attorney general. Assuming the ‘20,000’ accounts cited by Dunkin is the same 19,715 cited in the complaint, the attorney general is claiming that Dunkin knew of these attacks, and was specifically notified that the accounts had been ‘accessed by attackers’. “Yet,” says Letitia James’ statement, “Dunkin’ failed to take any steps to protect these nearly 20,000 customers — or the potentially thousands more they did not know about — by notifying them of unauthorized access, resetting their account passwords to prevent further unauthorized access, or freezing their DD cards. Dunkin’ also failed to conduct any investigation into or analysis of the attacks to determine how many more customer accounts had been compromised, what customer information had been acquired, and whether customer funds had been stolen.”
The complaint alleges that Dunkin’ failed to conduct an appropriate investigation into the 2015 incident, and did not implement appropriate safeguards to limit future attacks. “Moreover,” it adds, “following the attacks in 2015, Dunkin’ failed to implement appropriate safeguards to limit future brute force attacks through the mobile app.”
In late 2018, Dunkin’ suffered a repeat credential stuffing attack. This attack resulted in the unauthorized access of more than 300,000 customer accounts. A Dunkin’ security vendor notified the company of the attacks on October 5, 2018, describing them as ‘unmitigated’ — which the complaint takes to mean that there was no attempt by the vendor to block them. The vendor, “of its own accord, provided Dunkin’ with an initial list of accounts that had been accessed by attackers,” and then updated the list over the next few weeks.
This time, Dunkin’ did respond, but the complaint alleges its communications were misleading. The firm sent an email to the 300,000 customers whose accounts had been accessed by attackers, stating “We are not aware of any issue with the Dunkin’ Mobile App or websites however we recently observed attempted login activity on your Dunkin’ Perks Account using a device not previously associated with your account. As a precaution, we have reset your Dunkin’ Perks password . . . “
Similarly, a separate letter sent to approximately 175,000 customers with one or more DD cards registered to their account simply said that a Dunkin’ security vendor had told the firm, “a third-party may have attempted to log in to your DD Perks account.”
The state attorney general is clearly dissatisfied with what her office believes to have been Dunkin’s behavior both during and after the 2015 and 2018 credential stuffing attacks.
“The lawsuit,” says the state AG’s office statement, “specifically alleges that Dunkin’ violated New York’s data breach notification statute, General Business Law § 899-aa, by failing to notify consumers and New York State authorities of the 2015 data breach, and failing to accurately notify consumers of the 2018 data breach. The lawsuit also alleges that Dunkin’ violated New York’s consumer protection laws, including Executive Law § 63(12), and General Business Law §§ 349 and 350, by misrepresenting to consumers that it provided reasonable safeguards to protect customers’ personal information when they first signed up for an account. The lawsuit seeks injunctive relief, full restitution to customers, civil penalties, and other remedies.”
SecurityWeek has invited Dunkin’ Donuts to comment on the lawsuit. Any comment received will be appended to this article.