New York files lawsuit over Dunkin' breach response

The New York attorney general alleged in a new lawsuit that the Dunkin' Brands breach response following attacks in 2015 wasn't just insufficient, but that the company "failed to take any action" to protect customers.

Letitia James, attorney general of the State of New York, alleged in the lawsuit that threat actors made millions of automated brute force attempts to access accounts for DD Perks, Dunkin's mobile app rewards program, and successfully breached nearly 20,000 such accounts. Mobile payment company CorFire, which was running servers supporting the Dunkin' mobile app, reportedly discovered the attacks and "repeatedly" notified Dunkin'.

James added that the Dunkin' breach response did not include an investigation by the company "to determine which customer accounts had been compromised, what customer information had been acquired, and whether customer funds had been stolen."

"Worse still, Dunkin' failed to take any action to protect many of the customers whose accounts it knew had been compromised," James wrote in the lawsuit. "Among other failures, Dunkin' did not notify its customers of the breach, reset their account passwords to prevent further unauthorized access, or freeze the stored value cards registered with their accounts."

The 2015 attacks described in the lawsuit are very similar to two separate credential stuffing attacks the company reported in late Nov. 2018 and early February 2019. The lawsuit mentioned the Dunkin' breach from late 2018 -- in which 300,000 customer accounts were accessed -- and said the company notifications to victims falsely claimed attackers attempted but failed to log in to accounts.

According to the lawsuit, the brute force attacks against customer accounts began in early 2015, and by mid-May of that year "Dunkin' personnel had recognized" the attacks. In June 2015, CorFire discovered the attacks, notified Dunkin' and even tried to mitigate further attacks. In July, CorFire sent a presentation regarding the attacks to the company and in August, CorFire developed a way to identify malicious traffic.

CorFire analyzed traffic over a five-day period and found approximately 5.4 million attempts to access customer accounts resulting in 19,715 successful logins. The company reported these findings to Dunkin', including recommended security enhancements and that within this group of accounts "reports of fraud rose dramatically," per the lawsuit. The lawsuit claims Dunkin' took no action following any of these reports by CorFire.

"By early 2018, the number of customers per month reporting their account had been compromised was three to four times the volume of customer reports in August 2015," James wrote in the lawsuit. "Finally, in late March 2018, Dunkin' engaged a security vendor to help block these types of automated attacks."

Dunkin' did not respond to requests for comment, nor did CorFire. But Dunkin' chief communications officer Karen Raskopf released a statement to multiple news outlets denying claims in the lawsuit.

Raskopf said Dunkin' cooperated with the AG's investigation. She also claimed the company did launch an investigation that showed no customer accounts had been accessed, and added that no payment card data was involved in the attacks.

The lawsuit noted that if compromised accounts had the "Auto Reload" feature turned on, the DD card would automatically pull more funds when the balance was low, allowing an attacker to use the card "indefinitely."

Ultimately, the NY AG said the Dunkin' Donuts breach response was insufficient; the company failed to take appropriate action, violated its own data policies, misrepresented the attacks, misled customers and misrepresented its own data security practices.