New York Attorney General Letitia James is suing Dunkin' Brands for allegedly failing to notify thousands of customers targeted in a series of cyberattacks.
The lawsuit alleges the company failed to notify nearly 20,000 customers that their accounts had been compromised, despite their personal information and funds being in jeopardy. The lawsuit also accuses Dunkin' of failing to conduct an investigation into a series of attacks that would have helped it determine which accounts had been compromised, what customer information had been acquired and whether customer funds had been stolen.
“Dunkin’ failed to protect the security of its customers,” said Attorney General Letitia James. “And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin’ sat idly by, putting customers at risk. My office is committed to protecting consumer data and holding businesses accountable for implementing safe security practices.”
The attacks first began in early 2015, with customer accounted being targeted in a series of "brute force attacks," that were repeated, automated attempts to gain access to accounts. An attacker allegedly gained access to a customer's Dunkin' account could not only use DD cards registered to the account to make purchases, but could also sell the DD cards online. Tens of thousands of customer accounts were compromised through the attacks and tens of thousands of dollars on customers' DD cards were stolen.
Read Next: DoorDash Gets Hit With Data Breach
Dunkin' was notified of the attacks in May 2015, but failed to launch an investigation. Over a period of several months during the summer of 2015, a third-party app developer also repeatedly alerted the company to the attacks, the lawsuit alleges. The developer even provided the company with a list of 19,715 accounts that had been compromised over a five-day period.
The lawsuit alleges Dunkin' failed to protect its customers by notifying them of unauthorized access, resetting their account passwords to prevent further unauthorized access or freezing their DD cards. The lawsuit also claims that the company did not conduct any investigation into or analysis of the attacks to determine how many more customer accounts had been compromised, what customer information had been acquired and whether customer funds were stolen.
In addition, following the 2015 attacks, the lawsuit alleges that Dunkin' failed to further add safeguards to limit cyberattacks against its customers. However, in 2018, a vendor notified Dunkin' that customer accounts were once again breached, with more than 300,000 customers being affected.
However, the company claims it did not experience a security breach, but other companies' past breaches may have allowed third parties to access DD Perks account holders' information. Dunkin' reportedly launched an internal investigation and forced a password reset to all potentially impacted DD Perks members.
Dunkin' allegedly violated New York's data breach notification statute, General Business Law § 899-aa, by failing to notify consumers and New York State authorities of the 2015 data breach, and failing to accurately notify consumers of the 2018 data breach. The lawsuit also alleges that Dunkin’ violated New York’s consumer protection laws, including Executive Law § 63(12), and General Business Law §§ 349 and 350, by misrepresenting to consumers that it provided reasonable safeguards to protect customers’ personal information when they first signed up for an account. The lawsuit seeks injunctive relief, full restitution to customers, civil penalties and other remedies.