There is no doubt, at least in my opinion, that there does not go by a day in which we hear about some business entity that is being hacked, and thousands upon thousands of PII based records being stolen. Believe me, I peruse the Cyber news headlines on a daily basis, and at least 50% of them are on this topic. I am not in the least trying to diminish what has happened to these poor victims. I have been a victim of a Cyberattack myself, and it is not fun at all.
It really sucks and trying to get your life organized after it is even worse. Luckily, the damage I was inflicted was only about $300 or so, and because of that I could recover fairly quickly. But there are others out there whom have been victimized, especially in the way of Identity Theft, and it will take them years to recover. But, after reading about all of this day after day, you get sort of used to it, and expect it to occur.
Heck, I have even wondered what if there was no news headline about an organization being hacked into? What then? Is that a precursor to something much bigger that is going to happen? Hopefully not. But, as much as we empathize and feel for the victims, does anybody really even wonder what the fate of the business is after it has been struck by a Cyberattack?
Well, today we got some news into that (actually, it came out a couple of days ago). Apparently, back in 2015, the franchise chain of Dunkin’ Donuts was impacted by a large scale Cyberattack. In this, well over 20,000 customers were impacted, in which not only their usernames and passwords were stolen, but their Dunkin’ Donuts credit card data was also stolen as well.
In this instance, the Cyberattacker could not only use these hijacked cards, but they even sold them on the Dark Web, making a rather lucrative profit in that underworld. Now granted, once again, we hear about this on an almost daily basis, but here is where the difference lies: The corporate HQ at Dunkin’ Donuts was actually warned about this repeatedly from different sources.
For example, an external third party that made various apps for the franchise even told them that Cyberattackers were making their way into the accounts of these victims, and they even went so much to the point that they even provided the C-Suite with a list of all of the 19,715 accounts that were hacked into in just a five day time period.
Even customers were complaining to store managers that they noticed fraudulent activity onto their accounts, but yet no action was even being taken. So where is Dunkin’ Donuts now? Well, fast forward five years into the present time, and just last week, the New York Attorney General filed a massive lawsuit against the company, stating that despite all of the advanced warnings that they were being given, the franchise took no action to proactively protect their customer base.
So, in the eyes of the Attorney General, what could have Dunkin’ Donuts done? They could have very easily done the following:
*Notify the customers that their accounts have been hacked into and to keep an eye out for any fraudulent activity that is taking place;
*Telling them how to reset their passwords quickly so that their accounts could be protected;
*Freezing the credit cards and issuing new ones;
*Conduct a forensic analysis to see what was actually stolen, especially in the way of passwords, credit card numbers, and other types of Personal Identifiable Information (PII).
In the lawsuit, the NY Attorney General claims that Dunkin’ Donuts willfully and knowingly violated the following state laws and statutes:
*The General Business Law § 899-aa, by failing to notify consumers and New York State law enforcement of the 2015 data breach;
*Executive Law § 63(12), and General Business Law §§ 349 and 350, by misrepresenting to its customers that it provided safeguards to protect customers’ PII when they first signed up for an account.
My Thoughts On This
It is important to keep in mind that as with anything in life, there are always two sides to an issue. We examined it from the perspective of the customer, now let us take a little bit closer look at Dunkin’ Donuts.
I am not defending them by any means whatsoever, but the bottom line is that any business or corporation is at grave risk from becoming a victim of a Cyberattack. Despite all of the precautions one can take, there is always that chance.
Now, the key difference here is that Dunkin’ Donuts was not only warned, but they were even provided with irrefutable proof by the external third party that customer accounts were being hacked into. Despite this, the C-Suite did nothing to mitigate or even remediate the effects of the Cyberattacks that were occurring.
This I find totally reprehensible, and they that they should be held accountable to the fullest extent of the law, so I do support the NY Attorney General in this regard.
It is one thing if a business was suddenly impacted by a Cyberattack and is completely blindsided by it. It is another if this were to happen, but they were warned about it. Here is a key thing for all business owners that maintain confidential and sensitive information about your customers:
If you are ever impacted by a Cyberattack, immediately notify your customer base, as well as all applicable law enforcement agencies, which include the federal, state and local levels.
By doing so, it at least shows that you were very proactive in trying to protect your customers, and to notify them immediately. By doing so, the risks for a lawsuit, such as the one that Dunkin’ Donuts is going to experience, will be greatly minimized. Along with this of course, you also need to be proactive about trying to restore your business operations as quickly as possible as well.
In this regard, it is always wise to have a Cybersecurity consultant on your advisory board to guide you in this process. By taking this approach as well, it will also show to an insurance carrier that you are being very proactive about your Cybersecurity stance, and this will help you to get a much more favorable policy, and even a quicker payout if you are ever impacted.
Some more words of wisdom to all business owners out there (and yes, even including me): Just because a long period has lagged since you were first impacted, don’t ever think that your customers or the legal system will not hound you down in terms of subsequent lawsuits. Eventually they will, whether it is months or even years down the road, as in the case of Dunkin’ Donuts.