HOLE LOTTA WOE
Dunkin’ didn’t protect eaters from breach: AG
Hungry hackers are causing a world of trouble for donut maker Dunkin’.
The New York attorney general sued the retail chain, formerly known as Dunkin’ Donuts, for its handling of a cybersecurity lapse that gave hackers access to hundreds of thousands in store credit that could only be used to buy crullers and other Dunkin’ products.
The AG said the snack attack started in 2015, when nearly 20,000 customers with smartphone app accounts for managing their “DD cards” had their cards stolen.
Some of the cards were resold online, theAGsaid— potentially to other hungry hackers browsing the dark Web. But other cards were not sold, a source told The Post, noting that the only potential use for them was to stock up on jelly donuts and other Dunkin’ goodies.
The app developer for Dunkin’ told the company “repeatedly” about “ongoing attempts to log in to customer accounts,” but the java chain didn’t investigate, warn customers or make any changes to protect the accounts, the complaint alleges.
In the process, tens of thousands of dollars were stolen from customers and Dunkin’ didn’t pay users back for the thefts, the court papers charge. If the customer had enabled a service called “auto reload,” which automatically reloads registered cards when the balance gets low, “the attacker could use the DD cards indefinitely,” AG Letitia James’ lawsuit said.
Because Dunkin’ didn’t fix the problem, 300,000 customers’ accounts were attacked again throughout 2018 — and Dunkin’ misled customers, telling them there had been “attempted” access into their accounts while hiding the fact that the hackers had actually gotten in, the court papers charge.
“Instead of disclosing that customers’ accounts had been accessed without authorization, Dunkin’ falsely represented that it and its vendor had concluded only that a third party had ‘attempted’ or ‘may have attempted to log in,’ ” the court documents charge.
“There’s no sugarcoating the fact that @dunkindonuts did nothing to protect consumers’ accounts as the dough continued to roll in…” AG spokesperson Fabien Levy said in a tweet promoting a press release that accused the company of “Glazing Over Cyberattacks.”
The AG’s office wants Dunkin’ to be fined $5,000 per customer account for falsely claiming the accounts were secure. The office is also seeking $10 fines for each customer account that was breached and the customer not notified.
The AG — who is seeking unspecified restitution for customers — also wants Dunkin’ to implement safeguards to prevent future breaches from happening, the court papers say.
“There is absolutely no basis for these claims by the NewYorkAttorney General’s Office,” Karen Raskopf, a rep with Dunkin’ Brands, said. “For more than two years, we have fully cooperated with the AG’s investigation into this matter, and we are shocked and disappointed that they chose to move ahead with this lawsuit given the lack of merit to their case.”
Raskopf said that, in 2015, accounts didn’t contain customer payment information. Still, when Dunkin’ was notified of the breach, it investigated and found that no accounts were hacked. “Therefore, there was no reason to notify our customers,” Raskopf said. “Wetake the security of our customers’ data seriously and have robust data protection safeguards in place.