In 2015, millions of “brute force” online attacks against customers of the popular Dunkin’ Donuts coffee chain resulted in tens of thousands of accounts being compromised. Brute force attacks occur when an automated program uses customer login and password combinations to hack accounts.
New York Attorney General Letitia James recently filed a lawsuit against Dunkin’ Brands for their handling of the aftermath of one such attack.
According to the complaint, filed on September 26, Dunkin’ Brands failed to take any corrective action to protect customer accounts. It also failed to notify customers who had their accounts “taken over” in the attack. Instead, according to the New York Attorney General’s office, Dunkin’ Brands misled customers into thinking an attempt occurred but was not successful. Thousands of customers lost money on their store cards, which can be used to make purchases in-store and online.
In 2018, the brute force attacks recurred, resulting in an additional 300,000 customer accounts being compromised.
New York is alleging that Dunkin’ Donuts engaged in fraud by misinforming their customers and misrepresenting the nature of the attack. New York also accuses Dunkin’ Donuts of false advertising. It is seeking compensation for victims, full disclosure of the breach to customers, and other equitable relief.
In a statement to CBS MoneyWatch, Chief Communications Officer Karen Raskopf said the complaint lacked merit, and that a Dunkin’ Brands investigation did not find that any customer accounts were wrongfully accessed and therefore did not require customer notification.
While brute force attacks are common, it is not always clear when public companies must disclose attacks. The Securities and Exchange Commission has issued guidance about when public companies must come forward. While law enforcement sometimes requires a victimized company to remain silent while cooperating with an investigation, merely having an active investigation is not enough to justify failing to notify customers and investors, according to the SEC. Still, the SEC investigates relatively few delayed disclosures, and has never brought an enforcement action against a company for failing to disclose.
That is not to say companies are not required to disclose data breaches, however, and not just to the SEC. Businesses in the financial sector must report data breaches to the Department of Treasury; in healthcare, notification must go to the Department of Health and Human Services. Each state also has different rules regarding when to come forward. California recently implemented comprehensive legislation over data privacy, for example. The upshot is that companies who are subjected to routine brute force and other cyberattacks must weigh competing priorities regarding when (and if) to disclose cyberattacks, as well as understand disclosure requirements at both federal and state levels.
As New York’s investigation and lawsuit into Dunkin’ Brands demonstrates, failure to do so can lead to litigation.