Dunkin’ Donuts fined with $650k USD for hiding information when hacked

A few years ago, a group of hackers managed to compromise nearly 20,000 online accounts of Dunkin’ Donuts customers using a massive credential stuffing campaign.

Cybersecurity specialists point out that credential padding is highly successful because many users of online platforms use the same password to access two or more services, facilitating the work of threat actors.

During the incident in the coffee shop chain, hackers were able to access multiple details contained in users’ point cards, for example:

  • Full names
  • Email address
  • Dunkin’ Donuts account number
  • Access key
  • Account balance, only in some cases

Security reports mentioned that the compromised information was posted on hacking forums on dark web, so they could have been used to deploy phishing attacks against the company’s customers. While the incident was reported to Dunkin’ Donuts via its mobile app provider, the coffee shop chain did nothing about it.

La imagen tiene un atributo ALT vacío; su nombre de archivo es dunkindonuts1709202001.jpg

As if that wasn’t enough, in early 2019 the company revealed a new security incident affecting its customers’ information through a credential attack. Although again the company’s executives tried to ignore the incident, this time things were different, as the state of New York decided to file a lawsuit against the company; if approved by a judge, the lawsuit will result in a $650,000 USD fine for the large donut seller.

La imagen tiene un atributo ALT vacío; su nombre de archivo es dunkindonuts17092020.jpg

Local authorities argue that the company never notified its customers of the problem, did not reset the passwords of those affected, or implement any security mechanism to contain the attack.

Dunkin’ Donuts said: “Our IT teams voluntarily implemented the required security measures long before the New York Attorney’s Office filed the lawsuit.”

Subsequently, a company spokesperson mentioned that no authority had required them to implement security mechanisms, although a commitment to the safety of their customers and the prevention of security incidents spurred this initiative.