author photo
By Bruce Sussman
Mon | Dec 2, 2019 | 8:05 AM PST

Are the holes in the Dunkin' Donuts cybersecurity program bigger than the holes in its donuts?

You could draw that conclusion based on a 2019 lawsuit filed against the donut and coffee chain, which has more than 8,000 U.S. locations.

Maybe you've seen a headline about this lawsuit. But have you looked at the serious accusations it makes about a household name's cybersecurity practices? 

We did and want to share them with our SecureWorld readers.

Why is the State of New York suing Dunkin' Donuts over cybersecurity?

The State of New York is suing Dunkin' Brands and the lawsuit contains some damning claims about the chain's security failures, which it paints as being deliberate and in violation of the chain's own security policies.

The lawsuit alleges the chains cyber incidents violated New York’s consumer protection laws and the state's data breach notification laws.

What does the Dunkin' Donuts cybersecurity lawsuit say?

Here are excerpts from the lawsuit, which got its start following a credential stuffing attack on the DD loyalty program:

  • "For at least a decade, Defendant has sold Dunkin'-branded stored value cards that can be used to purchase beverages, food, and merchandise, both at Dunkin' stores and online on the Dunkin' website. Dunkin' enables customers to register and manage these cards by creating a Dunkin' user account online."
  • "In 2015, Dunkin's customer accounts were targeted in a series of online attacks. During this period, attackers made millions of automated attempts to access customer accounts. Tens of thousands of customer accounts were compromised. Tens of thousands of dollars on customers' stored value cards were stolen."

Part of this money was stolen as attackers took advantage of customers who had set up the auto-reload feature on their DD cards. A cybercriminal could spend the card's value and then the card re-loaded with more money, like magic.

None of this should have a been a surprise to Dunkin' Donuts because a vendor had told the company the attack was happening and that it was significant:

  • "Dunkin' was aware of these attacks at least as early as May 2015. Indeed, over a period of several months during the summer of 2015, Dunkin's app developer repeatedly alerted Dunkin' to attackers' ongoing attempts to log in to customer accounts. The vendor even
    provided Dunkin' with a list of 19,715 customer accounts that had been accessed by attackers over just a sample five-day period. Dunkin' itself identified dozens of other accounts that had
    been 'taken over' by attackers."
This is where the lawsuit accuses Dunkin' Donuts of violating its own cybersecurity and incident response policies:
  • "Despite having promised customers that it would protect their personal information and company policies that required a thorough and deliberate investigation, Dunkin' failed to conduct an appropriate investigation into, and analysis of, the attacks to determine which customer accounts had been compromised, what customer information had been acquired, and whether customer funds had been stolen."

After all of this information coming to the donut giant, the lawsuit alleges Dunkin' Donuts responded by... doing nothing.

  • "Worse still, Dunkin' failed to take any action to protect many of the customers whose accounts it knew had been compromised. Among other failures, Dunkin' did not notify its customers of the breach, reset their account passwords to prevent further unauthorized access, or freeze the stored value cards registered with their accounts."
  • "Even after more than four years, Dunkin' has yet to conduct an appropriate investigation into the reported attacks or take appropriate action to protect its customers."
  • "Moreover, following the attacks in 2015, Dunkin' failed to implement appropriate safeguards to limit future brute force attacks through the mobile app. The attacks, and customer reports of compromised accounts, continued."

Lawsuit: Dunkin' Donuts downplays another data breach

And according to the lawsuit, Dunkin's failure to act led to a much larger data breach in 2018 which the company downplayed to its customers:

"In late 2018, a vendor notified Dunkin' that customer accounts had again been attacked, and that the attacks had resulted in the unauthorized access of more than 300,000 customer accounts.

Although Dunkin' contacted impacted customers, Dunkin' did not disclose to these customers that their accounts had been accessed without authorization. Instead, Dunkin' falsely conveyed that a third party had 'attempted,' but failed, to log in to the customers' accounts. And Dunkin' falsely conveyed to some customers that the third party's attempts to log in may have failed because Dunkin's vendor had blocked them."

How has Dunkin' Donuts responded to the cybersecurity lawsuit?

Dunkin' Donuts essentially calls the lawsuit bogus and claims it is stunned:

"For more than two years, we have fully cooperated with the AG's investigation into this matter, and we are shocked and disappointed that they chose to move ahead with this lawsuit given the lack of merit to their case," Karen Raskopf, Dunkin' Brands' Chief Communications Officer said in an emailed statement to FOX Business.

Is this case without merit? We've only hit the highlights here, wait until you read the details of the New York vs. Dunkin' Brands lawsuit.

We are sure about one thing: there is still more work to be done to raise the flag of cybersecurity in many organizations across North America.

Getting buy-in to develop a culture of security comes up at every regional SecureWorld cybersecurity conference. Here is how you can join the conversation.