Dunkin Donuts has agreed to pay $650,000 as penalty settlement costs for the lawsuit over its failure to respond to credential stuffing attacks that compromised customer accounts between 2015 and 2019.
In early 2015, Dunkin’, franchisor of Dunkin’ Donuts, was repeatedly alerted by its third-party app developer of unauthorized access on customer accounts that led to the exposure of shopper names, email addresses, 16-digit DD Perks account numbers and PINs. Many of these compromised accounts also held Dunkin’-branded stored value cards (DD cards) that could be used to purchase various baked goods and beverages. In under a week, the breach exposed nearly 20,000 shopper accounts, and criminals stole tens of thousands of dollars from customers’ DD cards.
According to the New York Attorney General’s Office, Dunkin’ franchisor of Dunkin’ Donuts, “failed to notify these customers of unauthorized access to their accounts, reset their account passwords to prevent further unauthorized access or freeze their DD cards.”
The company suffered similar attacks in 2018. “In November 2018 or February 2019, Dunkin’s security vendor had identified usernames and passwords, including yours, that were likely obtained through other companies’ security breaches (not through any compromise of Dunkin’s own internal systems) and were made available on the Internet,” reads a supplemental notice of data breach filed with the Attorney General’s Office. “Malicious actors used those usernames and passwords to obtain DD Perks account information, including stored value card numbers and PINs.”
On top of the $650,000 in penalties and costs to be paid to the State of New York, Dunkin’ must notify all impacted customers, reset account passwords, and provide refunds for unauthorized use of shopper DD cards. Additionally, the company must upgrade its security protocols to avoid future unauthorized access and follow data breach notification procedures in any future incidents.