On September 26, 2019, New York Attorney General Letitia James filed a lawsuit against Dunkin’ Brands, Inc., the franchisor of Dunkin’ Donuts (“Dunkin’”).
The lawsuit involves security issues surrounding Dunkin’s stored value cards, which customers can use to purchase Dunkin’ food and merchandise. Customers can create an online account through Dunkin’s website or mobile app, and then manage their card though that account. Customers can store credit card information in their account to “reload” their cards.
The lawsuit alleges that beginning in early 2015, Dunkin’ customer accounts were targets of credential stuffing attacks (i.e., repeated attempts to gain access to an account through the use of username and password combinations that were previously stolen in an unrelated data breach). If successful in logging in to a customer account, the attackers could access to the customer’s name, email address, profile id, and the card numbers and PINs for all Dunkin’ stored value cards associated with the customer’s account. By August 2015, over 19,000 customer accounts had allegedly been compromised.
The lawsuit alleges that Dunkin’ was aware of these attacks as early as May 2015, but failed to take any remedial action for several years. The developer of the Dunkin’ mobile app noticed higher than expected traffic, consistent with a credential stuffing attack, and alerted Dunkin’ in June 2015. But, according to the lawsuit, Dunkin’ did not investigate the issue, implement additional security measures, or take steps to identify customer accounts that might have been compromised.
Then, in the fall of 2018, attackers gained access to more than 300,000 customer accounts through credential stuffing attacks. Approximately 175,000 of those customer accounts had at least one stored value card associated with it. According to the lawsuit, while Dunkin’ notified the affected customers in November 2018, that notification implied that unauthorized third-parties may have attempted to log in to the customer account, where in fact, those customer accounts had actually been accessed by an unauthorized party.
The lawsuit asserts causes of action under New York law for repeated and persistent fraudulent business conduct, deceptive business practices, and false advertising. It also alleges violation of New York’s data breach notification law. The lawsuit alleges that Dunkin’ violated those law by misrepresenting to its customers the steps Dunkin’ took to safeguard customer accounts, failing to properly investigate and provide notification of the breaches, and misrepresenting the nature of the attacks.
The case illustrates the importance of acting quickly to remediate and investigate suspected data breaches and thoroughly documenting the resulting analysis and course of action. For example, Dunkin’ stated that the accounts breached in 2015 did not contain any customer payment card data, and therefore, customer notification was not necessary. Comprehensive documentation of the steps Dunkin’ took to make this determination could provide powerful evidence that it did not violate the law. With regard to the 2018 breach, Dunkin’ states that it properly notified affected customers. Again, documentation of the steps that Dunkin’ took to identify compromised accounts and mitigate the risk of harm to its customers will be a key component of its defense.