The parent company of Dunkin’ Donuts finally settled with New York Attorney General Letitia James on Tuesday, September 15, 2020, over a 2015 data breach. The donut company is slated to pay a fine of $650,000 as part of the settlement.
According to CBS Local New York, Dunkin’ Donuts had been accused of compromising the online accounts and personal information of thousands of customers.
In a statement, James said, “For years, Dunkin’ hid the truth and failed to protect the security of its customers, who were left paying the bill.”
“It’s time to make amends and finally fill the holes in Dunkin’s’ cybersecurity. Now only will customers be reimbursed for lost funds, but we are ensuring the company’s dangerous brew of lax security and negligence comes to an end,” continued New York’s, Attorney General.
Data Breach Incident
Reuters states the data breach occurred between 2015 and 2018, with hackers reportedly obtaining customer information from the said attacks. Among the details compromised by the incident include usernames and passwords, as well as thousands of dollars from customer-created accounts.
The tens and thousands of dollars stolen from the customer accounts were a product of “brute force” and “credential stuffing” attacks, reveals Reuters. The accounts were created via the Dunkin’ Donut website or mobile application.
Over a five-day period, the donut company was able to identify approximately 19,715 customers affected by the attacks. Reuters said its own mobile application developer alerted the company about the incident.
The Dunkin’ customer award cards that may have been compromised also include name, email addresses, account numbers, PIN, and account balances, reports Bank Info Security.
Despite repeated alerts, the company failed to address the incident and inform the relevant parties about the breach in the system. As a result, in 2018, a total of around 300,000 customer accounts became compromised.
As part of its settlement agreement with the New York Attorney General, the Canton, Massachusetts-based firm is slated to provide affected individuals with password reset services. The company is also ordered to refund monetary loss due to fraudulent activity which stemmed from the breach.
Likewise, the donut company should ensure that proper safeguards are in place to prevent credential stuffing attacks or other similar incidents from happening in the future.
A proper investigation must also be conducted, seeing as the business failed to do so with the 5-year-old breach, reveals CBS Local New York.
Dunkin’ Brands Group Inc. also shared its sentiments over the issue, saying that the cyberattacks only affected less than one percent of its customers or Perks Loyalty members. In addition, Reuters notes that the company maintains that attackers did not gain access to customers’ credit card or payment details.
Moreover, the parent company also shared that it had “taken steps to make sure than any stored value cards associated with accounts are protected and secure.”