September 26, 2019 – Dunkin’ bungled its response to a series of “brute force” cyberattacks aimed at thousands of its customers through the company’s free mobile app and its website, ignoring the assault and misleading the customers, the New York attorney general has alleged in a lawsuit.
“Dunkin’ failed to protect the security of its customers,” Attorney General Letitia James said in a statement. “And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin’ sat idly by, putting customers at risk.”
The release from James’ office outlining the lawsuit accused the Canton-based company (Nasdaq: DNKN) of “glazing over” the cyberattacks and violating New York consumer protection laws.
Separately, a spokesperson for Massachusetts Attorney General Maura Healey said her office is investigating the cyberattacks and coordinating the effort with the New York attorney general.
Through a spokesperson, Dunkin’ struck back at James’ office and said they “look forward” to going to court.
“There is absolutely no basis for these claims by the New York Attorney General’s Office,” Karen Raskopf, the company’s chief communications officer. “For more than two years, we have fully cooperated with the AG’s investigation into this matter, and we are shocked and disappointed that they chose to move ahead with this lawsuit given the lack of merit to their case.”
Beginning in early 2015, the company’s customer accounts were hit by repeated “brute force attacks” through usernames and passwords stolen in other security breaches, according to the lawsuit. The attackers made “millions” of attempts throughout 2015, according to the suit.
The lawsuit said Dunkin’ employees, seeing traffic spikes, discovered in May 2015 that attackers had accessed customer accounts. An internal company presentation said 750 customers saw their accounts used by attackers. According to the lawsuit, attackers who had access to customer accounts could make purchases, sell the “DD cards” online, use free beverage coupons, and use the account information for other types of attacks like phishing scams.
CorFire, the app developer for Dunkin’, made its own discovery in June 2015 through traffic volume to the mobile app and repeatedly alerted the company, the lawsuit said.
“Dunkin’ failed to take appropriate action after receiving CorFire’s report,” the lawsuit said. “Dunkin’ did not ask CorFire to attempt to identify which customer accounts had been accessed by the attackers. Indeed, Dunkin’ did not conduct any investigation into the scope of the attacks or whether accounts had been accessed without authorization.”
CorFire later offered a list of 19,715 accounts that had been breached over a five-day period, and Dunkin’ “did not investigate whether the 19,715 accounts had been accessed without authorization, what customer information had been acquired, and whether customer funds had been stolen,” the lawsuit stated.
The coffee company also did not notify customers of the breach, did not reset the passwords, and did not freeze the “DD cards,” as the accounts are known, the lawsuit continued.
“By early 2018, the number of customers per month reporting their account had been compromised was three to four times the volume of customer reports in August 2015. In January 2018 alone, more than 950 customers reported that their account had been compromised,” the lawsuit said. “During this time period, Dunkin’ failed to implement appropriate safeguards to limit brute force attacks through the mobile app.”
The company finally sought to block the attacks through a security vendor in late March 2018, the lawsuit alleged.
Raskopf, the Dunkin’ spokesperson, said the attorney general’s investigation is based on a “credential stuffing incident that occurred in 2015, in which third parties unsuccessfully tried to access approximately 20,000 Dunkin’ app accounts.”
“The database in question did not contain any customer payment card information. The incident was brought to our attention by our then-firewall vendor, and we immediately conducted a thorough investigation,” she said in an emailed statement. “This investigation showed that no customer’s account was wrongfully accessed, and, therefore, there was no reason to notify our customers. We take the security of our customers’ data seriously and have robust data protection safeguards in place.”
The New York AG lawsuit claims that later in 2018, the customer accounts were again targeted. “Attackers gained access to more than 300,000 Dunkin’ customer accounts, including the accounts of more than 36,000 New York customers, and retrieved customer information, including customer names, email addresses, and the card numbers (and associated PINs) of DD cards registered to the accounts,” the lawsuit said.
“As with the attacks in 2015, Dunkin’ did not investigate the attack and did not ask its security vendor to identify which customer accounts had been accessed by the attackers,” the AG lawsuit added.
Dunkin’ eventually reached out to customers in late 2018, and “falsely represented that it and its vendor had concluded only that a third party had ‘attempted’ or ‘may have attempted to log in’ to customers’ accounts,” the lawsuit said.
Dunkin’ notified Healey’s office of one of the data breaches in December 2018. Roughly 18,000 customers in Massachusetts were affected, her office said, adding that the office later learned of the 2015 breach.
“Our office is investigating the data breaches involving Dunkin to assess the extent, review the circumstances, and determine whether it properly notified affected consumers as required by law,” a Healey spokeswoman said. “We need to ensure that companies have the proper safeguards in place to protect the financial information of Massachusetts consumers.”
By Gintautas Dumcius, Boston Business Journal
Read More Here