This hack is instructive for not only companies based in New York but for global ones as well.
Dunkin' Donuts failed to notify thousands of customers that their accounts were breached in 2015, leading to tens of thousands of dollars stolen from gift cards, according to New York Attorney General Letitia James.
James filed a lawsuit Thursday accusing Dunkin' Brands Inc., franchisor of the popular doughnut-and-coffee chain, of failing to properly protect its customers' accounts, which stored money from "DD" cards that could be used to purchase goods at the stores.
The lawsuit, filed in state Supreme Court in Manhattan, claims Dunkin' never notified the customers of the 2015 breach, even after money was taken from their accounts.
"Dunkin' failed to protect the security of its customers," James said in a statement. "And instead of notifying the tens of thousands impacted by those cybersecurity breaches, Dunkin' sat idly by, putting customers at risk."
The lawsuit is instructive. It explains that Dunkin represented the company uses reasonable safeguards to protect customer’s personal information from loss, misuse and unauthorized disclosure.
The company then was alerted by their app developer CorFire of a hack and even received a list of 19,715 customer accounts which had been accessed.
The complaint then explains – once armed with this information, Dunkin' failed to conduct an investigation into and analysis of the attacks to determine which customer accounts had been compromised, what customer information had been acquired and whether customer funds had been stolen.
It goes on to say – even four years later, no investigation has taken place.
Even worse – the complaint explains in 2018 Dunkin was notified of a breach of 300,000 customer accounts. Dunkin informed customers that there was a failed attempt to log into their accounts which was not the case as the accounts had been accessed.
Customers with issues were told they may have been victims of phishing attacks – instead of being told the truth about a hacker accessing the company’s information.
These false and misleading statements in fact violated New York’s consumer protection laws, Executive Law and the breach notification law.
The office of Attorney General is seeking restitution for consumers as well as injunctive and equitable relief to redress the “fraudulent, deceptive and illegal” conduct. In addition, the OAG is seeking civil penalties as well as reasonable costs of investigation and litigation.
CorFire, after learning of attacks, suggested security enhancements to Dunkin but they seem to have been ignored.
What may be a huge issue for the organization is that although they have data security policies named Dunkin’ Computer & Data Security Incident Response Plan (CDSIRP) with eight phases for dealing with security threats, the company failed to follow its own plan.
In all, this looks very bad for Dunkin’ and likely other state AGs will join in on a larger lawsuit which could cost tens of millions of dollars or much more.
Sadly, there are many companies who have internal security policies which are not followed – they use these policies to convince regulators or customers that they have a plan but they are for show. Or, there were good intentions when the plan was written but subsequent management changes meant the people who were in charge of applying the plan are no longer at the company – and the replacements don’t assign the same importance to adhering to the policy.
What we learn here is attackers can hit a company from numerous threat vectors – apps is just one of many. Web, blog server, firewall, RDP and others are also important entry points.
We also learn that when a problem is reported or even suspected, there needs to be a plan already in place on how to deal with it – and it needs to be followed.
Finally, the New Nork Shield Act goes into effect in less than a month – on October 23, 2019.
It makes existing laws even more restrictive.
For example: The SHIELD Act amends the definition of “private information” to include three new types of personal information that are covered by the law:
A) Account number, credit or debit card number, even without additional identifying information or a password
B) Biometric information, such as an individual’s fingerprint, voice print, or retina image
C) User name or e-mail address in combination with a password or security question and answer that would permit access to an online account.
Here is a solid overview of the act we covered some time back.
Any company doing business in New York or having customers in Manhattan or elsewhere in the state is covered by the new law. Had this breach been covered by The Shield Act, it likely would have added another $250,000 of financial damage to Dunkin’.
How your organization can stay safe:
1) Determine if you are in possession of private information for New York residents, even if you are not conducting business in New York. This may be the opportunity to assess whether you need to retain this information for ongoing business purposes.
2) Ensure that you have administrative, technical, and physical safeguards in place that comply with the requirements of the SHIELD Act.
3) Develop, or revisit, internal policies for how the company will identify and respond to a data breach. Ensure that your employees understand the policies and that they are properly implemented.
4) This is a good time to re-evaluate corporate cybersecurity – new attacks are launched constantly against organizations. We reported recently that a new IRS scam warning has been disseminated by the IRS – warning people to be careful not to click on emails from the organization as they are likely malicious messages disguised to look like they emanated from the agency.
5) Read cybersecurity essentials – a simple list which will help most organizations become far more secure.
6) Go to a phishing simulation vendor now and sign up for one of their offerings. Phishing Box, KnowBe4 and Phish360; are all great.
7) We also recommend you get a free evaluation of your cybersecurity risk from an MSP/MSSP immediately – they can also help you build in the needed compliance to reduce the risk of being fined.