New York Attorney General Letitia James has filed a lawsuit against Dunkin’ Brands in connection with a data breach that goes back to 2015. The suit charges the coffee and donut franchisor with failing to protect thousands of customers targeted in a series of cyberattacks.
The suit contends that Dunkin’ failed to tell some 20,000 customers that their accounts had been compromised. The company is further charged with failing to investigate a series of attacks that might have shed light on other potentially compromised accounts.
“Dunkin’ failed to protect the security of its customers,” James said. “And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin’ sat idly by, putting customers at risk.”
As is usually the case in litigation, the company did not immediately respond to media requests for comment.
The attorney general’s complaint alleges Dunkin’ did not act to protect nearly 20,000 customers in 2015 when their accounts were targeted by hackers. The suit says Dunkin’ did not reset passwords for the affected accounts or freeze associated Dunkin’ donuts cards.
The lawsuit revolves around accounts customers created using the Dunkin’ website or mobile app. The accounts allow customers to manage “DD cards” — stored value cards that customers can use to make purchases at both Dunkin’ stores and online.
‘Assured customers information was secure’
James alleges that the company assured potential customers that it was using reasonable safeguards to protect customers’ personal information from loss, misuse, and unauthorized access and disclosure.
She further claims Dunkin’ did not adopt proper and effective safeguards after the attack that would have limited future breaches, pointing to the company’s data breach that was announced 13 months ago.
At that time, the company reported that it had become aware of a possible security breach on October 31, 2018. In a notification to rewards program customers, it said it was possible some DD Perks accounts had been compromised.
After learning of the breach, Dunkin’ said it "forced a password reset that required all of the potentially impacted DD Perks account holders to log out and log back into their account using a new password." Dunkin’ encouraged customers to use “unique passwords” and not reuse passwords used for their other online accounts.