Donut Shop Company Agrees to Issue Refunds, Pay Fines
Dunkin’ Brands’ settlement with the New York state attorney general of a lawsuit tied to a five-year-old data breach affecting its Perks rewards cardholders could open the door to suits by other states – as well as customers.
There could be a “pile on” effect as the Federal Trade Commission and other attorneys general take legal action against the popular donut and coffee chain, says attorney Mark Rasch, of the law firm of Kohrman, Jackson & Krantz, who is not involved in the case.
“More significantly, we likely will see class action lawsuits alleging specific damages to the class of Dunkin’ customers or others,” he says.
Under the New York settlement with Dunkin’ Brands, which is the franchiser of 12,900 Dunkin’ outlets and 8,000 Baskin-Robbins stores worldwide, the company must refund money to about 20,000 New York customers affected by a 2015 data breach and also pay $650,000 in fines, according to a settlement document.
The value of refunds for the funds stolen from rewards cards was not listed in the settlement.
The state’s lawsuit stemmed from a 2015 incident in which Dunkin’ was hit with a series of credential stuffing attacks targeting customer DD awards cards across the U.S. Dunkin’ cards can be loaded with funds for making purchases at Dunkin’ locations. The cards also include customer information, such as name, email address,16-digit DD Perks account number, PIN and, in some cases, account balances, the company says in a letter to those affected.
“An attacker who gained access to one of these accounts would have been able to use the DD card to make purchases or remove the card from the account and sell it online. As a result of these attacks, tens of thousands of dollars on customers’ DD cards were stolen,” says New York Attorney General Letitia James.
The attorney general’s office claims Dunkin’ was repeatedly alerted to the brute-force attacks by a third-party app developer but ignored the warnings. The developer noted that, over a sample five-day period, more than 20,000 accounts had been compromised. This raised some eyebrows in cybersecurity circles as such delays usually result in greater financial and reputational loss.
“The executive management team should have understood that accruing risk is not an economical solution. Sooner or later, the costs of having a breach become a reality,” says Fausto Oliveira, principal security architect at the cloud security firm Acceptto.
Total Customers Affected
Although the lawsuit said about 20,000 customers in New York had data compromised, there likely were many more victims in the state, James says. Her office has since discovered thousands of additional customer accounts that appeared to have been compromised through credential stuffing attacks between 2015 and 2019.
The state’s lawsuit, filed in September 2019, alleged that Dunkin’ violated New York’s data breach notification statute by failing to notify consumers and New York state authorities of the data breach. The state also alleged that Dunkin’ violated New York’s consumer protection laws by misrepresenting to consumers that it used reasonable safeguards to protect customers’ personal information.
The settlement requires Dunkin’ to reset the password on any New York customer cards registered during the affected period and notify customers who are eligible for a refund for any fraudulent activity on their card resulting from the data breach.
Dunkin’ must also maintain reasonable safeguards to protect against credential stuffing attacks. And the company must follow incident response procedures when an attack occurs, to include “conducting a reasonable investigation to identify customer accounts that may have been compromised and – in situations where customers have been impacted in an attack – resetting their passwords, providing notice and transferring their account balances to new stored value card accounts,” the settlement states.