Attorney General James Gets Dunkin’ to Fill Holes in Security, Reimburse Hacked Customers

Lawsuit Alleged Dunkin’ Failed to Investigate Ongoing Attacks,
Protect Impacted Customers, and Implement Appropriate Safeguards

Dunkin’ Agrees to Notify and Refund Customers, Protect Against Future
Attacks, and Pay an Additional $650,000 in Penalties and Costs

NEW YORK – New York Attorney General Letitia James today announced a settlement with Dunkin’ Brands, Inc. (Dunkin’) — franchisor of Dunkin’ Donuts — resolving a lawsuit over the company’s failure to respond to successful cyberattacks that compromised tens of thousands of customers’ online accounts. The settlement requires the company to notify customers impacted in the attacks, reset those customers’ passwords, and provide refunds for unauthorized use of customers’ stored value cards. Dunkin’ will also be required to maintain safeguards to protect against similar attacks in the future, follow incident response procedures when an attack occurs, and pay $650,000 in penalties and costs to the state of New York.

“For years, Dunkin’ hid the truth and failed to protect the security of its customers, who were left paying the bill,” said Attorney General James. “It’s time to make amends and finally fill the holes in Dunkin’s’ cybersecurity. Not only will customers be reimbursed for lost funds, but we are ensuring the company’s dangerous brew of lax security and negligence comes to an end. My office is committed to protecting consumer data and holding all businesses accountable for implementing safe security practices.”

Attacks on Thousands of Consumers’ Accounts

Beginning in early 2015, Dunkin’ customers’ online accounts were targeted in a series of “credential stuffing attacks” — repeated, automated attempts to gain access to accounts using usernames and passwords stolen through security breaches of other unrelated websites or online services. In a matter of months, tens of thousands of customer accounts were compromised. Many of these accounts held Dunkin’-branded stored value cards — known as “DD cards” — which could be used to make purchases at Dunkin’ stores. An attacker that gained access to one of these accounts would have been able to use the DD card to make purchases, or remove the card from the account and sell it online. As a result of these attacks, tens of thousands of dollars on customers’ DD cards were stolen.

Dunkin’ was repeatedly alerted to attackers’ ongoing attempts to log in to customer accounts by a third-party app developer. The app developer even provided Dunkin’ with a list of nearly 20,000 accounts that had been compromised by attackers over just a sample five-day period. Yet, Dunkin’ failed to conduct an investigation into the attacks to identify other customer accounts that had been compromised, determine what customer information had been acquired, or whether customer funds had been stolen. Moreover, Dunkin’ did nothing to protect the nearly 20,000 customers that it knew had been impacted in the attacks or the potentially thousands more they did not know about. Among other missteps, Dunkin’ failed to notify these customers of unauthorized access to their accounts, reset their account passwords to prevent further unauthorized access, or freeze their DD cards.

Additionally, after learning of the attacks, Dunkin’ failed to implement appropriate safeguards to protect customers against future attacks through the Dunkin’ mobile app. The attacks continued for years.

Attorney General James filed a complaint last September, alleging that Dunkin’ violated New York’s data breach notification statute — General Business Law § 899-aa — by failing to notify consumers and New York state authorities of the data breach. The lawsuit also alleged that Dunkin’ violated New York’s consumer protection laws — including Executive Law § 63(12), and General Business Laws §§ 349 and 350 — by misrepresenting to consumers that it used reasonable safeguards to protect customers’ personal information.

Over the course of this past year’s litigation, the Office of the Attorney General (OAG) discovered thousands of additional customer accounts that appeared to have been compromised through credential stuffing attacks between 2015 and 2018.

Settlement Requires Notice, Refund to Impacted Customers, and Enhanced Data Security Practices

Under the terms of the settlement, Dunkin’ is required to take the following steps to notify, protect, and refund New York customers impacted in credential stuffing attacks:

  • Customers who had a registered DD card: To the extent it has not already done so, Dunkin’ will reset the password of each New York customer impacted in an attack who had a DD card registered to their account at the time and notify these customers that their accounts were, or may have been, accessed. Dunkin’ will also notify these customers that they are eligible for a refund for any fraudulent activity that resulted from an attack. 
    Customers will have 90 days to contact Dunkin’ by calling (800) 447-0013 or by emailing customerservice@dunkinbrands.com to request copies of their account records and report fraudulent activity.
     
  • Customers who did not have a registered DD card: To the extent it has not already done so, Dunkin’ will reset the password of each New York customer impacted in an attack who did not have a DD card registered to their account at the time and inform the customer that their account was, or may have been, accessed.

Dunkin’ will also be required to maintain reasonable safeguards to protect against future credential stuffing attacks. Additionally, in the future, Dunkin’ must follow incident response procedures when an attack occurs, which would include conducting a reasonable investigation to identify customer accounts that may have been compromised, and — in situations where customers have been impacted in an attack — resetting their passwords, providing notice, and transferring their account balances to new stored value card accounts.

Finally, Dunkin’ will pay $650,000 in penalties and costs to the state of New York.

New York’s Data Security Laws Require Appropriate Safeguards, Incident Response Policies to Address Credential Stuffing Attacks

Credential stuffing has quickly become one of the most common forms of online attack. To comply with New York’s data security laws, businesses that maintain New Yorkers’ private information must take steps to address this growing threat.

  • Implement reasonable safeguards to address credential stuffing attacks: New York’s safeguards law — General Business Law § 899-bb — requires that businesses maintain reasonable safeguards to protect New York residents’ private information. These safeguards should include appropriate measures to mitigate well-known attack vectors, including credential stuffing.
  • Develop appropriate incident response procedures for credential stuffing attacks: New York’s safeguards law also requires that businesses develop and implement appropriate incident response procedures. These procedures may include conducting a reasonable investigation to identify customers impacted in a credential stuffing attack and taking appropriate action to protect those impacted customers, such as resetting customers’ passwords, freezing customers’ accounts, or alerting customers to a compromised account. New York’s data breach notification law — General Business Law § 899-aa — may also require notifying customers whose private information has been accessed or acquired in a credential stuffing attack.

This matter was handled by Assistant Attorneys General Johanna Skrzypczyk and Ezra Sternstein, Senior Enforcement Counsel Jordan Adler, Volunteer Assistant Attorney General Nathaniel Kosslyn, Legal Assistant Richard Borgia, Internet Technology Analyst Joe Graham, Deputy Bureau Chief Clark Russell, and Bureau Chief Kim Berger — all of the Bureau of Internet and Technology, with special assistance from Director Jonathan Werberg of the Research and Analytics Department. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is overseen by Chief Deputy Attorney General Chris D’Angelo and First Deputy Attorney General Jennifer Levy.