[BreachExchange] Dunkin' Donuts parent settles New York cyberattack lawsuit, is fined

[Destry Winant]

https://www.reuters.com/article/us-dunkin-brnds-new-york/dunkin-donuts-parent-settles-new-york-cyberattack-lawsuit-is-fined-idUSKBN2662PX

NEW YORK (Reuters) - The parent of Dunkin’ Donuts on Tuesday agreed to
upgrade its security protocols and pay $650,000 in fines and costs to
settle a lawsuit by New York’s attorney general claiming it ignored
cyberattacks that compromised the online accounts of tens of thousands
of customers.


Attorney General Letitia James said Dunkin’ Brands Group Inc will
notify customers affected by the attacks between 2015 and 2018, reset
their passwords, and provide refunds for unauthorized use of their
Dunkin’-branded stored value cards.

The settlement resolves a civil lawsuit filed last Sept. 26 in a New
York state court in Manhattan, and requires a judge’s approval.

Dunkin’ did not admit or deny wrongdoing.

The case arose after hackers began in early 2015 using previously
stolen user names and passwords to conduct automated “brute force” and
“credential stuffing” attacks, and steal tens of thousands of dollars
from accounts created through Dunkin’s website or free mobile app.

James said the Canton, Massachusetts-based company did nothing for
years to address the compromised accounts despite repeated alerts from
its own app developer, including when it identified 19,715 customers
targeted over a five-day period.

The attorney general also said Dunkin’ failed to adopt safeguards
against future attacks despite reports of continuing fraud. She said
that came to roost in late 2018, when more than 300,000 customer
accounts were accessed in new attacks.

“For years, Dunkin’ hid the truth and failed to protect the security
of its customers, who were left paying the bill,” James said. “It’s
time to make amends and finally fill the holes in Dunkin’s’
cybersecurity.”

In a separate statement, Dunkin’ said the cyberattacks potentially
affected less than 1% of its Perks Loyalty members, and the hackers
had no access to credit card information.

“We have taken steps to make sure that any stored value cards
associated with [digital customers’] accounts are protected and
secure,” it added.