Latest in Gear

Image credit:

NY Attorney General sues Dunkin' over a series of cyberattacks

The donut chain allegedly failed to protect its customers not once, but twice.

Sponsored Links

SIPA USA/PA Images

Dunkin' Donuts -- now just known as Dunkin' after its rebranding -- failed to protect thousands of customers against a series of cyberattacks, according to New York Attorney General Letitia James. The NY Attorney General has filed a lawsuit against the company, accusing it of violating the state's data breach notification statute. Dunkin', James said, failed to notify customers and authorities of a data breach that happened in 2015 and to accurately notify consumers about about the state of their accounts in another series of cyberattacks in 2018.

Apparently, tens of thousands of customers' accounts were targeted in a series of "brute force attacks" in 2015. Around 20,000 accounts were compromised over a five-day period, but the number may be much higher seeing as the attack went on for months. The attackers broke into customers' Dunkin' profiles containing registered DD cards -- reloadable cards used to make purchases -- using account names and passwords leaked on the internet from other security breaches. They then sold the victims' DD cards online or used them to buy things, stealing "tens of thousands of dollars" from the victims.

James said the company did nothing, even though the third-party app developer working for Dunkin' notified it about the breach and provided it with the list of accounts that had been compromised. The Attorney General's announcement of the lawsuit explained:

"...Dunkin' failed to take any steps to protect these nearly 20,000 customers -- or the potentially thousands more they did not know about -- by notifying them of unauthorized access, resetting their account passwords to prevent further unauthorized access, or freezing their DD cards. Dunkin' also failed to conduct any investigation into or analysis of the attacks to determine how many more customer accounts had been compromised, what customer information had been acquired, and whether customer funds had been stolen."

The company also failed to implement precautionary measures to prevent a security breach from happening again. In 2018, 300,000 customer accounts were compromised yet again. While Dunkin' notified customers that time around, it only told them that a third-party entity attempted to break into their account -- it reportedly didn't admit that their account had been compromised. The New York Attorney General is asking, among other things, that the company be penalized and for customers to be compensated.

In this article: dunkin', dunkin' donuts, gear, security
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

Roku is giving away 30 days of premium video

Roku is giving away 30 days of premium video

View
NASA warns Moon base plans might slip by a year

NASA warns Moon base plans might slip by a year

View
Lab-in-a-box test can detect COVID-19 in 5 minutes

Lab-in-a-box test can detect COVID-19 in 5 minutes

View
SpaceX launches its original Dragon capsule for the last time

SpaceX launches its original Dragon capsule for the last time

View
Facebook's experimental Stories feature lets users cross-post to Instagram

Facebook's experimental Stories feature lets users cross-post to Instagram

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr