Thu | Sep 17, 2020 | 4:30 AM PDT

Dunkin's donut holes are delicious.

But the holes in the company's cybersecurity program are expensive. 

New York Attorney General Letitia James just announced the settlement of a data breach lawsuit between the AG's office and Dunkin' Donuts. 

Dunkin' Donuts cybersecurity lawsuit details

According to state investigators, Dunkin' Donuts failed to respond to a series of successful cyberattacks that left tens of thousands of customers' online accounts vulnerable. 

Now, the company is being forced to take certain information security measures and pay a $650,000 fine to the state of New York.

New York's Attorney General did not hold back:

"For years, Dunkin' hid the truth and failed to protect the security of its customers, who were left paying the bill. It's time to make amends and finally fill the holes in Dunkin's' cybersecurity.

Not only will customers be reimbursed for lost funds, but we are ensuring the company's dangerous brew of lax security and negligence comes to an end."

Cybersecurity changes Dunkin' Donuts agrees to make

In the "Affirmative Obligations" section of the Consent Order and Judgement, Dunkin' Donuts agrees to make the following cybersecurity changes:

  • "Defendant shall not misrepresent its data security practices."
  • "Defendant shall maintain a comprehensive information security program designed to protect Customer Personal Information that includes, at a minimum, reasonable technological, administrative, and physical safeguards."
  • "The Security Program must include reasonable measures to protect Customer Accounts against brute force and credential stuffing attacks."
  • "In the event that Defendant has a reasonable suspicion that there has been a Data Security Event, Defendant shall promptly conduct a reasonable investigation aimed at determining whether the Data Security Event is ongoing, the cause and scope of the Data Security Event, the Customer Accounts that may have been affected, and the categories of Customer Personal Information that may have been accessed and/or acquired."

AG: Dunkin' Donuts has a history of cybersecurity fails

The New York lawsuit against Dunkin' Donuts says the company has repeatedly failed at cybersecurity. This goes back at least five years, according to the judgment:

"In 2015, Dunkin's customer accounts were targeted in a series of online attacks. During this period, attackers made millions of automated attempts to access customer accounts. Tens of thousands of customer accounts were compromised. Tens of thousands of dollars on customers' stored value cards were stolen."

This type of attack, where there are millions of attempts to gain access to secure accounts, is known as a credential stuffing attack. Recently, the FBI has investigated and warned of this threat vector, which you can learn more about here.

However, just because Dunkin' fell victim to a cyberattack does not warrant a lawsuit to be brought forward by the state. What the company did not do following the attacks added to its problems:

"Despite having promised customers that it would protect their personal information and company policies that required a thorough and deliberate investigation, Dunkin' failed to conduct an appropriate investigation into, and analysis of, the attacks to determine which customer accounts had been compromised, what customer information had been acquired, and whether customer funds had been stolen."

And then the security problems continued:

"Worse still, Dunkin' failed to take any action to protect many of the customers whose accounts it knew had been compromised. Among other failures, Dunkin' did not notify its customers of the breach, reset their account passwords to prevent further unauthorized access, or freeze the stored value cards registered with their accounts.

Even after more than four years, Dunkin' has yet to conduct an appropriate investigation into the reported attacks or take appropriate action to protect its customers.

Moreover, following the attacks in 2015, Dunkin' failed to implement appropriate safeguards to limit future brute force attacks through the mobile app. The attacks, and customer reports of compromised accounts, continued."

Hackers successfully attacked the company again because it had not implemented a strong information security program:

"In late 2018, a vendor notified Dunkin' that customer accounts had again been attacked, and that the attacks had resulted in the unauthorized access of more than 300,000 customer accounts.

Although Dunkin' contacted impacted customers, Dunkin' did not disclose to these customers that their accounts had been accessed without authorization. Instead, Dunkin' falsely conveyed that a third party had 'attempted,' but failed, to log in to the customers' accounts. And Dunkin' falsely conveyed to some customers that the third party's attempts to log in may have failed because Dunkin's vendor had blocked them."

Finally, five years after the initial cyber incidents, a settlement is now agreed to between Dunkin' and the state of New York.  

Hopefully, the company will now fill the holes in its cybersecurity program for the sake of its reputation and for those who love the chain's donuts and coffee.