New York is suing Dunkin’ Donuts for failing to disclose a data breach in 2015, which resulted in nearly 20,000 customers being impacted.
In 2015, attackers used credential-stuffing in order to gain access to Dunkin’ Donuts (DD) Perk accounts. Soon later the app developer had alerted the company about attempts by hackers to gain access into customer accounts, with the developer even providing Dunkin’ with a list of 19,715 accounts that had been compromised during a five-day period.
Dunkin’ only notified customers about the 2015 attack, in October 31, 2018. Customers had been alerted that their full names, email addresses, usernames, DD Perks QR code and 16-digit DD Perks account number may have been accessed.
The lawsuit, filed in State Supreme Court in Manhattan, states: “In 2015, Dunkin’s customer accounts were targeted in a series of online attacks. During this period, attackers made millions of automated attempts to access customer accounts. Tens of thousands of customer accounts were compromised. Tens of thousands of dollars on customers’ stored value cards were stolen.”
The lawsuit alleges that Dunkin’ failed to notify customers about the breach in accordance with the state’s data breach notification laws. Additionally, it alleges that Dunkin’ failed to reset passwords and freeze DD cards for the impacted accounts.
The lawsuit also claims that Dunkin’ failed to implement appropriate safeguards to prevent any future attacks against its users.
In an email to ZDNet, a Dunkin’ spokesperson said:
“There is absolutely no basis for these claims by the New York Attorney General’s Office. For more than two years, we have fully cooperated with the AG’s investigation into this matter, and we are shocked and disappointed that they chose to move ahead with this lawsuit given the lack of merit to their case.
“The investigation centered on a credential stuffing incident that occurred in 2015, in which third parties unsuccessfully tried to access approximately 20,000 Dunkin’ app accounts. The database in question did not contain any customer payment card information.
“The incident was brought to our attention by our then-firewall vendor, and we immediately conducted a thorough investigation. This investigation showed that no customer’s account was wrongfully accessed, and, therefore, there was no reason to notify our customers.
“We take the security of our customers’ data seriously and have robust data protection safeguards in place. We look forward to proving our case in court.”
The post #Privacy: New York sues Dunkin’ Donuts for hiding data breach appeared first on PrivSec Report.