Blog, Events & News

Dunkin' Sued by New York Attorney General

By Netacea / 04th Oct 2019

Dunkin’ (a.k.a Dunkin’ Donuts) has found itself in hot water after New York Attorney General Letitia James filed a lawsuit against the chain. James’ suit accuses Dunkin’ of violating New York’s data breach notification statute and failing to implement precautionary measures following the first attack in 2015.

The chain has been targeted by multiple, successful cyber-attacks, that have allegedly exposed the personal data of tens of thousands of Dunkin’ customers who, according to the Attorney General, were not made aware of the data breach and able to protect themselves.

What exactly have Dunkin' done wrong?

Governments are still getting to grips with identifying and calling the cyber-criminals to account for their actions and the threat they pose is growing as data becomes an increasingly valuable commodity. This has put pressure on businesses to take responsibility for customer data security, so that in the event of a cyber-attack, personally identifiable information (PII) remains secure and scope for exploitation is limited.

Legislations such as the EU’s General Data Protection Regulation (GDPR) and its equivalents put organisations of all sizes, in all sectors, under enhanced scrutiny. Failure to meet the requirements will result in the issuing of serious fines from the relevant supervisory body; which in the UK, is the Information Commissioner’s Office (ICO).

What this means is, if a business is attacked and becomes vulnerable to a data breach, they must be able to show that they have done all that is required to secure customer data. And, if the data is breached, customers must be notified within 72 hours.

Dunkin’ are not the only business to be put under the data protection microscope in recent months. The GDPR has so far resulted in the ICO issuing British Airways and Marriott with fines totaling £300m, for breaching of consumer data protection.

How were customers affected?

Dunkin’ was first targeted by a series of brute force attacks over a five-day period in 2015. The attack was believed to have compromised around 20,000 customer profiles containing registered Dunkin’ Donuts (DD) loyalty cards; which hold loyalty points as well as cash.

The perpetrators carried out the attack using account names and passwords leaked following historical data breaches to gain entry to the DD accounts. Once successfully accessed, the attackers sold the victims’ DD accounts on the Dark Web or used them make purchases, reportedly stealing “tens of thousands of dollars” from the victims.

The Attorney General’s announcement explains:

“…Dunkin’ failed to take any steps to protect these nearly 20,000 customers – or the potentially thousands more they did not know about – by notifying them of unauthorised access, resetting their account passwords to prevent further unauthorized access, or freezing their DD cards. Dunkin’ also failed to conduct any investigation into or analysis of the attacks to determine how many more customer accounts had been compromised, what customer information had been acquired, and whether customer funds had been stolen.”

In the second mass attack in 2018, 300,000 Dunkin’ customers were compromised yet again. This time Dunkin’ did notify customers to tell them that a third-party entity had attempted to break into their accounts, but reportedly did not admit that their account had been compromised.

What could Dunkin' have done differently?

Cyber-attacks just like those targeting Dunkin’ are growing in frequency and ferocity, with the technology to carry out automated brute force attacks such as credential stuffing and card cracking attacks now readily accessible to anyone with the inclination to seek it out.

Automated brute force attacks are made possible using credentials leaked in previous data breaches which are available to all and sundry on the Dark Web. This is where the challenge often lies for businesses and where Dunkin’ have fallen foul.

Following the 2015 attack that compromised tens of thousands of customer accounts, Dunkin’ should have notified customers and strongly advised that they updated their passwords to protect their accounts. Failing to do so has not only exposed the customers’ DD accounts for plundering and re-sale on the Dark Web but has created future issues. The credentials and any other PII acquired from the account can be bought and sold, putting all accounts using those details at risk of attack.

This loops us back to how the brute force attack was made possible in the first place and demonstrates that, if allowed to carry on due to a lack of due-diligence, the cycle continues and escalates.

To learn more about the impact of historic data breaches, why read our recent blog: It Might Not Be Your Breach, But It Is Your Problem. Alternatively, if you’d like to find out how working with bot management experts protects your organisation and your customers from automated traffic attacks, talk to our team today.

Account Takeover / Data Breach