What to Know
- Dunkin' failed to notify nearly 20,000 customers that their accounts had been compromised in 2015, according to lawsuit filed by NY AG
- The lawsuit also alleges the company failed to accurately notify when hackers accessed more than 300,000 customer accounts three years later
- The lawsuit seeks injunctive relief, full restitution to customers, civil penalties and other remedies; Dunkin' Brands disputes the claims
Dunkin' failed to notify nearly 20,000 customers that their accounts had been compromised and their information and personal funds were in jeopardy in 2015 – or accurately notify them once more when hackers accessed more than 300,000 customer accounts three years later, according to a lawsuit filed by New York Attorney General Letitia James against the company.
“Dunkin’ failed to protect the security of its customers,” James said in a statement Thursday. “And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin’ sat idly by, putting customers at risk. My office is committed to protecting consumer data and holding businesses accountable for implementing safe security practices.”
James’ suit against Dunkin’ Brands, Inc. – franchisor of Dunkin’ – also alleges that Dunkin’ failed to conduct an investigation into a series of attacks that would have helped it determine which other accounts had been compromised, as well as what customer information was acquired and whether customer funds were stolen.
The lawsuit involves customer accounts created through the Dunkin’ website or free mobile app for Android and iOS devices, according to the attorney general who says that in order to entice customers to create accounts, Dunkin’ allegedly falsely represented that the company was using safeguards to protect customers’ personal information.
These accounts enable customers to manage “DD cards,” which are stored value cards that allows clients to make purchases at both brick-and-mortar shops and online.
James claims that starting in early 2015, customer accounts were targeted in a series of “brute force attacks,” which are repeated, automated attempts to gain access to accounts, often using usernames and passwords stolen through security breaches of other unrelated websites or online services.
An attacker that gained access to a customer’s Dunkin’ account could not only use DD cards registered to the account to make purchases, but could also sell the DD cards online, James says, adding that in just a matter of months, tens of thousands of customer accounts were compromised through these types of attacks, and tens of thousands of dollars on customers’ DD cards were stolen.
According to James, by May 2015, Dunkin’ personnel received customer reports that attackers were gaining access to their accounts. Allegedly, during the summer of 2015, a third-party app developer for Dunkin’ repeatedly alerted the company to ongoing attempts by attackers to log in to customer accounts, and even provided Dunkin’ with a list of 19,715 accounts that had been compromised in just a five-day period.
However, according to the suit, Dunkin’ failed to take any steps to protect these nearly 20,000 customers — or the potentially thousands more they did not know about — by notifying them of unauthorized access, resetting their account passwords to prevent further unauthorized access, or freezing their DD cards.
James also claims that Dunkin’ failed to conduct any investigation into or analysis of the attacks.
Moreover, following the attacks in 2015, Dunkin’ failed to implement appropriate safeguards to limit future attacks through the mobile app, despite customer reports of continuing fraud on their accounts.
In late 2018, a vendor notified Dunkin’ that customer accounts had again been attacked, and they resulted in the unauthorized access of more than 300,000 Dunkin’ customer accounts, many of which had DD cards associated with them, James says. And, while Dunkin’ did contact impacted customers this time around, the company did not disclose that customer accounts had been accessed without authorization, James says, adding that instead the company just said that a third party had merely “attempted” to log in to the customers’ accounts and that the attempt may not have been successful.
James’ lawsuit alleges that Dunkin’ violated the state’s data breach notification statue by failing to contact consumers and authorities of the 2015 breach and failed to accurately notify consumers of the 2018 data breach. The lawsuit also alleges that Dunkin’ violated New York’s consumer protection laws.
The lawsuit seeks injunctive relief, full restitution to customers, civil penalties and other remedies.
In a statement, Chief Communications Officer of Dunkin' Brands Inc. Karen Raskopf said: “There is absolutely no basis for these claims by the New York Attorney General’s Office. For more than two years, we have fully cooperated with the AG’s investigation into this matter, and we are shocked and disappointed that they chose to move ahead with this lawsuit given the lack of merit to their case."
According to Raskopf, the 2015 incident centered around third parties "unsuccessfully" trying to access about 20,000 Dunkin' app accounts, but the database in question did not contain customer payment card information.
"We take the security of our customers’ data seriously and have robust data protection safeguards in place," Raskopf's statement went on to say. "We look forward to proving our case in court.”