Dunkin’ has agreed to provide refunds to customers whose stored value cards were compromised in a data breach as part of a settlement of a lawsuit that New York Attorney General Letitia James filed last year.
James sued the Canton, Mass.-based Dunkin’ Brands after hackers compromised customers’ online accounts with a series of “credential stuffing attacks,” or repeated, automated attacks to gain access to accounts using stolen usernames and passwords. The breach took place between 2015 and 2018.
James said the result compromised thousands of customers’ DD Perks stored value cards, enabling them to make purchases or sell the cards online. The result led to the theft of thousands of dollars on customers’ DD Perks cards.
According to James, Dunkin’ agreed to notify customers who were impacted in the attacks, reset their passwords, and provide refunds for unauthorized use of their cards. The company will also maintain safeguards to protect against similar attacks and pay a $650,000 fine.
“For years Dunkin’ hid the truth and failed to protect the security of its customers, who were left paying the bill,” James said in a statement.
In a statement, Dunkin’ said that the events impacted “less than 1%” of DD Perks members. DD Perks is Dunkin’s loyalty program.
The company also said it put in security measures “long before” the lawsuit was filed last year.
“Long before the New York Attorney General filed suit in this matter, Dunkin’ had voluntarily implemented or enhanced the security measures identified in today’s settlement,” Dunkin’ said. “We did so not because we were required to by any regulatory or enforcement authority, but because we are committed to protecting our customers’ data. We are continually updating and enhancing our security measures to address ever-evolving cyber security threats, and we use robust information security and data safeguards.”
The company said it provide notifications and reset passwords for the “vast majority” of New York customers affected by the settlement. Dunkin’ said it mostly agreed to provide supplemental information, and that “it has always been Dunkin’s policy to provide refunds where there is evidence of unauthorized use, as well as to freeze cards, transfer balances and reset passwords.”
Dunkin’ also stressed that the hackers never accessed credit cared information. “Dunkin’ digital customers can also be confident that we have taken steps to make sure that any stored value cards associated with their Dunkin’ accounts are protected and secure.”
James accused Dunkin’ of failing to conduct an investigation after it was “repeatedly warned” that customer accounts were being inappropriately accessed. James also said that Dunkin’ failed to notify customers of unauthorized access to their accounts, reset passwords or freeze the cards.; James also said that “the attacks continued for years.”