The multinational American coffee and doughnut chain, Dunkin’ Donuts Inc, is the latest large company to have fallen foul of New York’s data breach notification law. The breach and subsequent lawsuit led to a settlement which saw the company paying $650,000 in penalties and costs to the state of New York.
Dunkin’ Donuts’ failure to respond to a series of cyber attacks over the past five years resulted in the compromise of approximately 300,000 online customer accounts.
How did the cyber attack happen?
Warnings of security issues’ in the app and website’s systems dated back to 2015 - when hackers first targeted customers' online accounts, stealing email addresses, 16-digit DD Perks account numbers, and PINs. This information was used to carry out a series of credential stuffing attacks. Credential stuffing is a method of cyber attack where hackers take combinations of usernames and passwords to gain illegal access to accounts on websites.
The red flags were reported five years ago by Dunkin' Donuts’ app developer, CorFire, however, their concerns were ignored. As a result of the company’s failure to enact a timely response, hackers managed to steal tens of thousands of dollars - using automated software that guessed the identification information of customers in order to access their online accounts.
To make matters worse, despite being aware of the breaches, the company failed to alert the public and allowed the situation to deteriorate.
What was the legal response?
Last year, the New York Attorney General issued a settlement to resolve the lawsuit with Dunkin' Donuts, which had accused the company of ‘glazing’ over the hacks. To end the lawsuit, the settlement demands Dunkin' Donuts to notify each customer whose data was accessed, reset the passwords of the compromised accounts, refund any unauthorized use of stored value cards associated with the compromised accounts, alongside paying the significant penalties and costs.
Adhering to cyber regulations
The New York data breach notification law was updated with the inclusion of the SHIELD Act, which came into effect in March of this year. The New York Stop Hacks and Improve Electronic Data Security - suitably named - broadens the definition of a breach and expands the breach notification requirements.
The Act requires any person or business owning or licensing computerized data that includes the private information of a resident of New York to implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information. Of the people whose accounts were compromised as a result of the Dunkin’ Donuts breach, 36,000 of them were in fact New York residents. So, the company must adopt the appropriate strategies recommended in the Act moving forward.
Similar to the First American data breach, this case serves as yet another example of the serious ramifications caused by failing to act on security issues when they arise. The fallout of such a breach can cause serious and long-term damage to not only the company’s economic standing but also its reputation.
Having a well-structured security strategy, and conducting regular penetration testing is critical to protect businesses and their customers. Get in touch to learn more about how we can help you adopt a proactive approach to cyber security.