Fast-casual giant indirectly targeted in data breach
Dunkin’ Brands is the newest company to be caught up in a cyber attack—however, not one that directly targeted its internal systems.
The fast-casual giant learned that “third parties” have been using its loyalty members’ user names and passwords to log into some Dunkin’ DD Perks accounts. The cyber-thieves gained access to customers’ first and last names, email address (which are used as user names), members’ 16-digit DD Perks account number, and DD Perks QR codes through other companies’ security breaches, according to the company’s website.
Dunkin learned about the incident from a security vendor that noticed on Oct. 31 a third party was making fraudulent attempts to log into DD Perks accounts. They were targeting members that used the same username and password for accounts unrelated to Dunkin’.
While the company didn’t disclose a specific number, Dunkin’ revealed that “only a small percent” of accounts were possibly affected, according to CNBC.
Upon learning about the incident, Dunkin’ immediately launched an internal investigation. Dunkin’ reported the incident to law enforcement and continues to cooperate with officials “to help identify and apprehend” those those responsible for the incident. The company also continues to work with its security vendor “to remediate the event and to help prevent this kind of event from occurring in the future,” according to Dunkin’.
All impacted DD Perks account holders were directed to log out and log back in to their account using a new password. The company has also taken steps to replace any DD Perks stored value cards with a new account number, but all stored value has been retained on the accounts.
This is the latest data breach to hit the industry. In October, hackers targeted Nordstrom databases and pilfered the personal data of current and past employees.
Other retailers targeted by cyber-thieves this year include Hudson’s Bay Co.’s Saks, Saks Off Fifth and Lord & Taylor brands, Best Buy, Panera Bread, Sears Holdings, and Under Armour.
Majority of holiday shoppers concerned about identity theft
Retailers will end up on consumers’ naughty lists this holiday season if they don’t protect their personal data.
This was according to new data from Generali Global Assistance (GCA), which reported that 71% of shoppers are concerned that their financial and personal information could be compromised due to data breaches while shopping for holiday gifts.
This holiday season, most (65%) plan to shop in brick-and-mortar stores, online via a laptop / desktop computer (59%), and through mobile devices (36%). Regardless of their preferred shopping method, 33% of consumers don’t believe businesses are doing all they can to protect their personal information; another 33% said they are unsure if businesses are doing enough. This was a decrease of 7% and 5%, respectively from 2017. Moreover, if a retailer experienced a data breach in the past, 83% of shoppers feel concerned making an online or in-store purchase at that retailer.
When it comes to identity theft, data breaches from online merchants (51%) far outweighed other risks on shoppers’ minds. Twenty percent believed brick-and-mortar point-of-sale systems cause a threat to identity theft, while 15% feared their identity theft could result from being pick-pocketed or robbed. Ten percent feared it would result from having their car broken into.
To ease consumer anxiety, 55% of Americans would feel more confident if a business is actively working to protect their data and reduce risk if they offered identity protection services. Likewise, retail businesses that either offer identity protection services or that plan to do so in the future instill greater confidence in 68% of Americans, a 12% increase from 2017.
As concerns over data breaches grow, the most popular form of payment for holiday purchases this year will be cash (56%). Debit (52%) and credit cards (45%) were a close second and third. In 2017, the most popular form of payment for holiday purchases was through a credit card (57%).
“For many, the holiday season is stressful enough without having to worry that one’s identity will be stolen,” said Paige Schaffer, president and COO of Generali Global Assistance’s Identity and Digital Protection Services Global Unit.
“With 2017 recording an all-time high of over 1,500 data breaches, consumers are more aware of the threats associated with holiday shopping and the need for businesses to better protect their data,” she added. “Though consumers are less confident in a business’s ability to protect their data, offering identity protection establishes trust and sends a clear message that they take the burden and privilege of protecting data seriously.”
Juniper: Online payment fraud loss on pace to double by 2023
Cyber-criminals continue to hone their craft, and retailers will remain one of their top targets in the next five years.
That’s according to a new study from Juniper Research which revealed that digital fraud losses stemming from e-commerce, airline ticketing, money transfer and banking services will reach $48 billion by 2023, up from the $22 billion in losses projected for 2018. With such a strong focus on transactional rather than behavioral risk, money transfers will be particularly vulnerable, with fraud losses increasing by over 20% per year to $10 billion in 2023.
The study, “Online Payment Fraud: Emerging Threats, Segment Analysis & Market Forecasts, 2018-2023,” found that a critical driver behind these losses will be the continued high level of data breaches resulting in the theft of sensitive personal information. Cyber-criminals use information gleaned from these breaches to move away from pure identity theft, instead using fragments of real data to create new, synthetic identities.
“Synthetic identity is currently the low-hanging fruit because, even though it takes time for fraudsters to establish, many of their targets are not set up to detect the behavioral giveaways that indicate this type of fraud,” said Juniper’s senior analyst Steffen Sorrell. “Fraud management providers have solutions on the market to combat this, but the industry as a whole is playing catch-up.”
Additionally, techniques practiced by the Magecart hackers, which are highly targeted on credit card skimming attacks, as well as malware often associated with Fin7 hackers could become more common as fraudsters seek to create products from their knowledge. Both groups used a combination of malware and cross-channel approaches for criminal gain. More complex fraud would only become more common as, in effect, a ‘fraud-as-a-service’ economy emerges, the study revealed.