On Tuesday, the New York Attorney General Letitia James announced a settlement with Dunkin’ Brands, Inc. over allegations that the company failed to adequately respond to years of cyberattacks that compromised customers’ online accounts.
According to the lawsuit, Dunkin’ customers with “DD Perks” accounts were first targeted in early 2015 in a series of “credential stuffing attacks” — which were automated attempts to gain access to accounts using usernames and passwords stolen through security breaches of other unrelated websites.
Allegedly, the maker of the Dunkin app repeatedly warned Dunkin of these attacks, but Dunkin’ failed to conduct an investigation into the attacks to identify which accounts had been compromised, what customer information may have been acquired, and whether customer funds had been stolen. The lawsuit alleged that that the 2015 incident impacted nearly 20,000 customers and the subsequent 2018 hack affected another roughly 300,000 customers.
Dunkin provided a statement on Tuesday refuting the claims and stating that they provided notifications and reset passwords for many affected by these breaches. They also state that they increased their security measures prior to the settlement.
Under the terms of the settlement with the Attorney General, Dunkin will be required to notify customers impacted by the attacks, reset those customers’ passwords, and provide refunds for any unauthorized use of customers’ stored value cards. The company must also maintain safeguards to protect against similar attacks in the future, follow incident response procedures when an attack occurs, and pay $650,000 in penalties and costs to New York state.
The full text of the settlement is available here. This case is a good reminder for companies to ensure they have an appropriate data security program in place to address and respond to breaches should the need arise, including those that may be limited to online account credentials.