Are the holes in the Dunkin' Donuts cybersecurity program bigger than the holes in its donuts?
You could draw that conclusion based on a 2019 lawsuit filed against the donut and coffee chain, which has more than 8,000 U.S. locations.
Maybe you've seen a headline about this lawsuit. But have you looked at the serious accusations it makes about a household name's cybersecurity practices?
We did and want to share them with our SecureWorld readers.
The State of New York is suing Dunkin' Brands and the lawsuit contains some damning claims about the chain's security failures, which it paints as being deliberate and in violation of the chain's own security policies.
The lawsuit alleges the chains cyber incidents violated New York’s consumer protection laws and the state's data breach notification laws.
Here are excerpts from the lawsuit, which got its start following a credential stuffing attack on the DD loyalty program:
Part of this money was stolen as attackers took advantage of customers who had set up the auto-reload feature on their DD cards. A cybercriminal could spend the card's value and then the card re-loaded with more money, like magic.
None of this should have a been a surprise to Dunkin' Donuts because a vendor had told the company the attack was happening and that it was significant:
After all of this information coming to the donut giant, the lawsuit alleges Dunkin' Donuts responded by... doing nothing.
And according to the lawsuit, Dunkin's failure to act led to a much larger data breach in 2018 which the company downplayed to its customers:
"In late 2018, a vendor notified Dunkin' that customer accounts had again been attacked, and that the attacks had resulted in the unauthorized access of more than 300,000 customer accounts.
Although Dunkin' contacted impacted customers, Dunkin' did not disclose to these customers that their accounts had been accessed without authorization. Instead, Dunkin' falsely conveyed that a third party had 'attempted,' but failed, to log in to the customers' accounts. And Dunkin' falsely conveyed to some customers that the third party's attempts to log in may have failed because Dunkin's vendor had blocked them."
Dunkin' Donuts essentially calls the lawsuit bogus and claims it is stunned:
"For more than two years, we have fully cooperated with the AG's investigation into this matter, and we are shocked and disappointed that they chose to move ahead with this lawsuit given the lack of merit to their case," Karen Raskopf, Dunkin' Brands' Chief Communications Officer said in an emailed statement to FOX Business.
Is this case without merit? We've only hit the highlights here, wait until you read the details of the New York vs. Dunkin' Brands lawsuit.
We are sure about one thing: there is still more work to be done to raise the flag of cybersecurity in many organizations across North America.
Getting buy-in to develop a culture of security comes up at every regional SecureWorld cybersecurity conference. Here is how you can join the conversation.