Dunkin’ Donuts – recently rebranded as just Dunkin’ (although they still sell donuts) – has been sued by the state of New York. According to the official complaint, Dunkin’ was hacked as early as 2015 and, instead of doing what was necessary and legal, the company decided to engage in fraud and deception.
Last year, Dunkin’ publicly admitted to having been hacked. According to one announcement (fortune.com):
Although Dunkin’s internal systems did not experience a data security breach, we were informed by one of our security vendors that third-parties who obtained DD Perks account holders’ usernames and passwords through other companies’ or organizations’ security breaches may have used this information to log into certain DD Perks accounts if the account holders used the same username and password for unrelated accounts.
This turns out to be legal- and PR-speak for “hackers used credential stuffing for accessing customer accounts.”
What is Credential Stuffing?
Credential stuffing is inputting a list of known usernames and passwords into an authorization prompt, like the ones for accessing Gmail or your banking app. Because a significant number of people reuse their passwords and usernames, there’s a chance, however small, that many of them will grant access to real accounts. These credentials, of course, would have been compiled from data captured via prior, unrelated data breaches.
The AG’s complaint illustrates how (un)successful credential stuffing can be:
In late August 2015, CorFire presented Dunkin with its analysis and findings… including the number of times attackers had attempted to access Dunkin’ accounts since August 7, 2015 (approximately 5,400,000), the number of customers impacted over that five-day period (19,715), and CorFire’s methodology for identifying attackers’ traffic.
19,715 accounts were impacted out of 5.4 million attempts. This means that hackers’ success rates were at 0.36%. The figure gives you an idea how inefficient this method of hacking is.
If you prefer, that’s 3.6 times out of 1000. Although, take this with a grain of salt: According to the legal complaint, more than 300,000 accounts were accessed illegally in late 2018 alone. At a rate of 0.36%, that implies over 80 million accounts were compromised at that time.
Regardless, here we have hackers attacking Dunkin’, no matter how seemingly pathetic the returns. For over 4 years. The only reason for doing so would be because it makes financial sense for them. According to reports, some used illegal access to such accounts to treat themselves to Dunkin’ goods. Most would sell access to such accounts.
While exact figures are not provided, the official complaint notes that “Tens of thousands of dollars on customers’ stored value cards were stolen.” From a corporate finance standpoint, it sounds like very little money. Dunkin’ probably loses more money in spilled coffee in a week.
Making Donuts, Brewing Coffee, and Cooking (Security) Books
Perhaps it’s the low-ish monetary value that led Dunkin’ to act the way it did? Although Dunkin’ announced a data breach late last year, it had been receiving periodic warnings and alerts of incidents as early as 2015, according to the AG’s complaint.
And therein lies the AG’s argument. Over the course of four years, Dunkin’ didn’t do anything despite receiving reports that they had a data security problem, which led to real consequences in the real world. Sure, “tens of thousands of dollars” worth of consequences, but consequences nonetheless. If the company had been following the law, as it should have, it would have sent data breach notifications as early as 2015.
And, if it had done something to rectify the security situation then, Dunkin’ wouldn’t have needed to do anything since, aside from monitoring the situation, assuming that other attacks weren’t being directed at the company. Instead, it did nothing after receiving security incident reports, leading to identical incidents in subsequent years (to which, again, it reacted by… doing nothing).
Furthermore, the company had the gall to write in its public-facing security statements that it took people’s security seriously, that they had good security in place, etc. – the sort of language that is meant to reassure customers that they do have a security plan in place.
And, according to some other reports, in one instance, customers who called Dunkin’ to either complain or alert the company that accounts were compromised were told that it was their (the customers’) fault: they probably got phished. Despite the fact that the company already knew what was going on. Bald-faced lying. (Although, granted, the people manning the phones probably didn’t know).
Last but not least, the company already had a “Computer & Data Security Incident Response Plan,” Dunkin’s own policy on how to react to a data security incident. They ignored it.
For all this, the AG has slapped them with the accusation of fraudulent business conduct, engaging in deceptive acts, and false advertising.
It’s probably going to cost Dunkin’s more than tens of thousands of dollars to put this one to rest. Especially when you consider that it’s not only New York that has these kinds of laws in place, and that Dunkin’ has stores in 41 states.
Related Articles and Sites: