NY Attorney General sues Dunkin' over a series of cyberattacks

The donut chain allegedly failed to protect its customers not once, but twice.

Dunkin' Donuts -- now just known as Dunkin' after its rebranding -- failed to protect thousands of customers against a series of cyberattacks, according to New York Attorney General Letitia James. The NY Attorney General has filed a lawsuit against the company, accusing it of violating the state's data breach notification statute. Dunkin', James said, failed to notify customers and authorities of a data breach that happened in 2015 and to accurately notify consumers about about the state of their accounts in another series of cyberattacks in 2018.

Apparently, tens of thousands of customers' accounts were targeted in a series of "brute force attacks" in 2015. Around 20,000 accounts were compromised over a five-day period, but the number may be much higher seeing as the attack went on for months. The attackers broke into customers' Dunkin' profiles containing registered DD cards -- reloadable cards used to make purchases -- using account names and passwords leaked on the internet from other security breaches. They then sold the victims' DD cards online or used them to buy things, stealing "tens of thousands of dollars" from the victims.

James said the company did nothing, even though the third-party app developer working for Dunkin' notified it about the breach and provided it with the list of accounts that had been compromised. The Attorney General's announcement of the lawsuit explained:

"...Dunkin' failed to take any steps to protect these nearly 20,000 customers -- or the potentially thousands more they did not know about -- by notifying them of unauthorized access, resetting their account passwords to prevent further unauthorized access, or freezing their DD cards. Dunkin' also failed to conduct any investigation into or analysis of the attacks to determine how many more customer accounts had been compromised, what customer information had been acquired, and whether customer funds had been stolen."

The company also failed to implement precautionary measures to prevent a security breach from happening again. In 2018, 300,000 customer accounts were compromised yet again. While Dunkin' notified customers that time around, it only told them that a third-party entity attempted to break into their account -- it reportedly didn't admit that their account had been compromised. The New York Attorney General is asking, among other things, that the company be penalized and for customers to be compensated.