The New York Attorney General’s Office has sued Dunkin’ Brands, claiming that its Dunkin’ chain failed to notify some 20,000 customers that their accounts through the company’s app had been compromised back in 2015.
New York Attorney General Letitia James said that customers’ personal funds and information were put in jeopardy as a result of the “brute force” attack. She also accused Dunkin’ of failing to conduct a proper investigation into the attack.
“Dunkin’ failed to protect the security of its customers,” James said in a statement. “And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin’ sat idly by, putting customers at risk.”
In a statement sent over email, Dunkin’ Brands Chief Communications Officer Karen Raskopf said that there is “no basis” for the claims and that no customer’s account was accessed.
Raskopf said the investigation centered on a “credential stuffing” incident in 2015 in which third parties tried unsuccessfully to access 20,000 Dunkin’ app accounts. The database did not contain customer payment card information and the company conducted an investigation after it was brought to its attention.
“There is absolutely no basis for these claims by the New York Attorney General’s Office,” Raskopf said. “For more than two years, we have fully cooperated with the AG’s investigation into this matter, and we are shocked and disappointed that they chose to move ahead with this lawsuit given the lack of merit to their case.
“We take the security of our customers’ data seriously and have robust data protection safeguards in place. We look forward to proving our case in court.”
The New York Attorney General said that Dunkin’ loyalty card accounts made over the company’s app and website were targeted in a series of attacks in which hackers make repeated, automated attempts to gain access to accounts.
Hackers could then take over the customers’ DD cards to make purchases or sell them online. James said that “tens of thousands of dollars” on customers’ accounts were stolen as a result of the hack.
James said Dunkin’ personnel received reports in May of that year, and that an app developer alerted the company of the attacks. The developer provided a list of 19,715 accounts that had been compromised over a five-day period, the attorney general said.
James then said the company didn’t notify customers of the access, reset their passwords or freeze their cards. And the attorney general also argued that the company didn’t conduct an investigation into the attacks.
The attorney general accused Dunkin’ of failing to implement safeguards to protect accounts from future attacks. And it said that late last year, a vendor notified the company that hackers gained unauthorized access to more than 300,000 accounts.
That time, the attorney general said, the company contacted customers about the attacks, though it said that a third party attempted to gain access to their accounts and that the attempt might not have been successful.