Dunkin' Sued After Hack Affects 20,000 Customers: NY AG

CANTON, MA — New York Attorney General Letitia James announced her office is filing a lawsuit against Dunkin' following a cyberattack that compromised the accounts of nearly 20,000 customers. Tens of thousands of dollars on customers' "DD" value cards were stolen during the breach.

The attorney general's office in a statement said the Canton-based company failed to notify customers that their accounts had been jeopardized in a 2015 cyberattack. James also alleged that Dunkin' failed to conduct an investigation into the hacks. She said an investigation would have helped determine which accounts were compromised, what customer information was acquired and whether money had been stolen.

"Dunkin' failed to protect the security of its customers," said James. "And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin' sat idly by, putting customers at risk."

>>>See how to get a free coffee at Dunkin' Sunday

Dunkin' denied any wrongdoing. A spokesperson told ZD Net there's "absolutely no basis" for the lawsuit.

"For more than two years, we have fully cooperated with the attorney general's investigation into this matter, and we are shocked and disappointed that they chose to move ahead with this lawsuit given the lack of merit to their case," a company spokesperson told ZD Net.

In early 2015, customer accounts were targeted in a series of "brute force attacks," which are repeated, automated attempts to gain access to accounts, often using usernames and passwords stolen through security breaches of other unrelated websites or online services, the attorney general's office said.

Following the attack, hackers gained access to the accounts and could not only use customer' "DD card," but could sell those cards online. In a matter of months, tens of thousands of customer accounts were compromised through these attacks, and tens of thousands of dollars on customers’ DD cards were stolen, James' office said.

By May 205, Dunkin' employees began receiving customer reports that hackers had gained access to their accounts. Additionally, over a period of several months during summer 2015, the attorney general's office said a third-party app developer for Dunkin' repeatedly alerted the company to the ongoing breach. James's office said the app developer provided the company with a list of almost 20,000 accounts that had been compromised by attackers over just a five-day period.

The attorney general's office said Dunkin' failed to take any steps to protect its customers after being made aware of the breach. James said Dunkin' could have notified customer, reset their account passwords or freeze their "DD cards," but none of those actions were taken. James' office also alleges the company failed to implement appropriate safeguards following the breech.

In late 2018, a vendor notified Dunkin' that customer accounts had again been attacked, and t the attacks had resulted in the unauthorized access of more than 300,000 accounts, many of which had DD cards associated with them.

The attorney general's office said customers were contacted about these attacks, but Dunkin' did not disclose that customer accounts had been accessed without authorization. Instead, Dunkin’ falsely represented that a third party had 'attempted' to log in to the customers' accounts and that the attempt may not have been successful, the office said.