News

NY State AG sues Dunkin' alleging chain failed to protect against cyber attacks

September 27, 2019

New York State Attorney General Letitia James filed suit against Dunkin', alleging the iconic restaurant chain failed to notify almost 20,000 customers about a series of cyber breaches against its website and mobile app that left their personal information and payment accounts exposed to potential compromise.

The suit alleges that Dunkin' failed to investigate the breaches to determine whether customer accounts had been compromised, whether hackers had obtained personal data or whether funds were stolen. 

"Dunkin' failed to protect the security of its customers," the AG said in a statement. "And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin' sat idly by, putting customers at risk."

According to the suit, Dunkin' was hit starting in 2015 with a series of brute force attacks that often used stolen usernames and passwords. Once the attackers were able to access DD  accounts, they were able to make purchases through the accounts and also could resell DD cards online. The suit alleges tens of thousands of accounts were compromised and tens of thousands of dollars were stolen from these accounts. 

The AG alleges that a third-party app developer notified Dunkin' of the attacks in the summer of 2015 and handed over a list of more than 19,000 accounts. In 2018 a vendor notified Dunkin' about an attack, stating that more than 300,000 accounts had been accessed from an attack. However, the AG claims that Dunkin' later claimed the attack was only an attempt and had not been successful.

Dunkin' strongly denied the allegations:

"There is absolutely no basis for these claims by the New York Attorney General's office," Karen Raskopf, chief communications officer at Dunkin' Brands, said in an emailed statement. "For more than two years, we have fully cooperated with the AG's investigation into the matter, and we are shocked and disappointed that they chose to move ahead with this lawsuit given the lack of merit to their case."

The statement said there was no payment data involved in the 2015 attack and that Dunkin' launched an immediate investigation after it was notified by a firewall vendor. 

Cover image courtesy of iStock.

 

.