September 22, 2020

NY settles credential stuffing breach case with Dunkin’

On September 15, 2020, the New York Attorney General announced that a consent order had been entered, resolving allegations that Dunkin’ Brands, Inc. had violated New York General Business Law §§ 349, 350, and 899-aa, and New York Executive Law § 63(12) in connection with its data security practices, by failing to notify consumers and state authorities of known data breaches, and by misrepresenting to consumers that the company had taken reasonable measures to safeguard customers’ personal information. 

In the lawsuit, the state of New York alleged that the online accounts of Dunkin’ customers, particularly those of “DD” branded stored value cardholders, had been compromised during a three-year period by hackers who had gained access to the accounts via usernames and passwords that were stolen through security breaches.  The attacks, which used a “credential stuffing” technique, resulted in the theft of tens of thousands of dollars from the customers’ DD accounts.  The state further alleges that although Dunkin’ was alerted about ongoing security incidents in which attackers tried to log onto thousands of customers’ accounts, the company failed to conduct an investigation, and did not warn the customers whose accounts had been compromised, or take measures – such as asking customers to reset their passwords, or freezing their DD cards — to protect cardholders or prevent additional attacks. 

The settlement requires Dunkin’ to pay $650,000 in penalties and costs, and to notify, protect, and refund stolen funds to affected customers, including resetting all DD card passwords.  In addition, Dunkin’ must maintain reasonable safeguards to protect against future credential stuffing attacks, ensure that incident response procedures will be followed in the event of future attacks. 

NYAG press release | Consent Order