New York AG Files Lawsuit Against Dunkin’ Donuts For Attacks On Customer Accounts

  • Home
  • Food & Beverage
  • New York AG Files Lawsuit Against Dunkin’ Donuts For Attacks On Customer Accounts

On September 26, 2019, New York Attorney General Letitia James filed a lawsuit against Dunkin’ Brands, Inc., the franchisor of Dunkin’ Donuts (“Dunkin’”).

The lawsuit involves security issues surrounding Dunkin’s stored value cards, which customers can use to purchase Dunkin’ food and merchandise. Customers can create an online account through Dunkin’s website or mobile app, and then manage their card though that account. Customers can store credit card information in their account to “reload” their cards.

The lawsuit alleges that beginning in early 2015, Dunkin’ customer accounts were targets of credential stuffing attacks (i.e., repeated attempts to gain access to an account through the use of username and password combinations that were previously stolen in an unrelated data breach). If successful in logging in to a customer account, the attackers could access to the customer’s name, email address, profile id, and the card numbers and PINs for all Dunkin’ stored value cards associated with the customer’s account. By August 2015, over 19,000 customer accounts had allegedly been compromised.

The lawsuit alleges that Dunkin’ was aware of these attacks as early as May 2015, but failed to take any remedial action for several years. The developer of the Dunkin’ mobile app noticed higher than expected traffic, consistent with a credential stuffing attack, and alerted Dunkin’ in June 2015. But, according to the lawsuit, Dunkin’ did not investigate the issue, implement additional security measures, or take steps to identify customer accounts that might have been compromised.

Then, in the fall of 2018, attackers gained access to more than 300,000 customer accounts through credential stuffing attacks. Approximately 175,000 of those customer accounts had at least one stored value card associated with it. According to the lawsuit, while Dunkin’ notified the affected customers in November 2018, that notification implied that unauthorized third-parties may have attempted to log in to the customer account, where in fact, those customer accounts had actually been accessed by an unauthorized party.

The lawsuit asserts causes of action under New York law for repeated and persistent fraudulent business conduct, deceptive business practices, and false advertising. It also alleges violation of New York’s data breach notification law. The lawsuit alleges that Dunkin’ violated those law by misrepresenting to its customers the steps Dunkin’ took to safeguard customer accounts, failing to properly investigate and provide notification of the breaches, and misrepresenting the nature of the attacks.

The case illustrates the importance of acting quickly to remediate and investigate suspected data breaches and thoroughly documenting the resulting analysis and course of action. For example, Dunkin’ stated that the accounts breached in 2015 did not contain any customer payment card data, and therefore, customer notification was not necessary. Comprehensive documentation of the steps Dunkin’ took to make this determination could provide powerful evidence that it did not violate the law. With regard to the 2018 breach, Dunkin’ states that it properly notified affected customers. Again, documentation of the steps that Dunkin’ took to identify compromised accounts and mitigate the risk of harm to its customers will be a key component of its defense.

Brian Kint

Brian is a certified information privacy professional (CIPP/E, CIPP/US) who consistently finds creative solutions to his clients' problems. Brian's passion lies at the intersection of law and technology. Prior to attending law school, Brian had a successful career as an IT professional at a large financial institution. He was credentialed as a Microsoft Certified Systems Engineer (MCSE) and a Cisco Certified Network Associate (CCNA). Brian’s mix of legal knowledge and IT experience makes him uniquely situated to advise and advocate for clients on constantly changing data privacy and cybersecurity issues. He can speak the language of the law as well as the language of the IT professionals responsible for developing and implementing technology solutions to adhere to the law and to the organization’s data security strategy. Not only does this capability give Brian a distinct advantage when litigating data privacy issues, but it also ensures that his clients’ legal obligations are successfully translated into effective IT solutions.

Leave a Reply

Your email address will not be published. Required fields are marked *