New York Attorney General: Dunkin’s Response to App Breach Was Full of Holes

Dunkin Donuts Press Photo

In the past few years, Dunkin’ has been the target of multiple cyberattacks—and now, the New York Attorney General says the brand’s Munchkin-sized response to the breaches was “fraudulent, deceptive, and unlawful.”

On Thursday, Attorney General Letitia James announced a lawsuit against Dunkin’ Brands Inc. following a series of cyberattacks on the chain’s mobile DD Perks app. According to the lawsuit, Dunkin’ failed to notify nearly 20,000 customers impacted by the attacks, even though their information, including the funds loaded onto their accounts, was at risk. The lawsuit also alleges that the company failed to adequately investigate the attacks to best understand whose accounts were compromised and what information had been taken.

“Instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin’ sat idly by, putting customers at risk,” James said in a press release. “My office is committed to protecting consumer data and holding businesses accountable for implementing safe security practices.”

And James isn’t going at it alone. Massachusetts Attorney General Maura Healey is also digging into Dunks in a coordinated effort to uncover the brand’s wrongdoing.

“Our office is investigating the data breaches involving Dunkin’ to assess the extent, review the circumstances, and determine whether it properly notified affected consumers as required by law,” a spokesperson for Healey said. “We need to ensure that companies have the proper safeguards in place to protect the financial information of Massachusetts consumers.”

The lawsuit hinges on a data breach of Dunkin’s DD Perks app. In case you, unlike America, do not run on Dunkin’, here’s a quick rundown of how it works: Dunkin’-goers can create free accounts via the DD Perks app, and are then encouraged to input their bank account information to load a virtual “DD Card,” which allows customers to order ahead or pay in line by scanning a QR code.

While it feels pretty slick to procure your 2 for $2 wake-up wraps and coffee regular via an app, the lawsuit alleges that DD Perks has been majorly compromised not once, but twice over the past few years.

In 2015, accounts were targeted by a series of what the lawsuit calls “brute force attacks,” or millions of repeated attempts to gain access to accounts. Once a hacker gained access to an account, they could use the account to buy donuts on the victim’s dime (a lifetime supply, if the DD Card was set to auto-reload), sell the DD Card online, glean account information to incorporate into other phishing scams or even—gasp—use victims’ free beverage coupons.

Allegedly, a third party app developer noticed the deluge of login attempts, recommended Dunkin’ consider “a deeper proactive discussion on security,” and even gave the company a list of nearly 20,000 accounts that had been compromised. According to the lawsuit, however, Dunkin’ failed to do much of anything, choosing not to reset account passwords, freeze DD Cards, or even notify the people they knew had been affected. The lawsuit says tens of thousands of customers were impacted by this breach, and that tens of thousands of dollars were stolen.

A spokesperson for Dunkin’ told the Boston Business Journal that the lawsuit has misrepresented the 2015 cyberattack.

“The database in question did not contain any customer payment card information,” chief communications officer Karen Raskopf said in a statement. “The incident was brought to our attention by our then-firewall vendor, and we immediately conducted a thorough investigation. This investigation showed that no customer’s account was wrongfully accessed, and, therefore, there was no reason to notify our customers. We take the security of our customers’ data seriously and have robust data protection safeguards in place.”

In 2018, DD Perks was attacked again, impacting over 300,000 account holders, including 18,000 Massachusetts residents. This time, Dunkin’ did reach out to the consumers who had been affected. However, the lawsuit claims the company didn’t disclose enough—instead of revealing that accounts had been accessed by hackers, Dunkin’ said a third party had merely “attempted” to log into individuals’ DD Perks.

By law, businesses are required to send written notice to the AG’s office, the Office of Consumer Affairs and Business Regulation, and any affected Massachusetts residents if they experience a data breach.