DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

NYS Attorney General James Sues Dunkin’ Donuts For Glazing Over Cyberattacks Targeting Thousands

Posted on September 26, 2019 by Dissent

New York Attorney General Letitia James today announced a lawsuit against Dunkin’ Brands, Inc. — franchisor of Dunkin’ Donuts — for failing to protect thousands of customers targeted in a series of cyberattacks. The company failed to notify nearly 20,000 customers that their accounts had been compromised, even though their information and personal funds were in jeopardy. Dunkin’ also failed to conduct an investigation into a series of attacks that would have helped it determine which other accounts had been compromised, what customer information had been acquired, and whether customer funds had been stolen.

“Dunkin’ failed to protect the security of its customers,” said Attorney General Letitia James. “And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin’ sat idly by, putting customers at risk. My office is committed to protecting consumer data and holding businesses accountable for implementing safe security practices.”

The lawsuit involves accounts of the company’s customers created through the Dunkin’ website or free mobile app for Android and iOS devices. These accounts enable customers to manage “DD cards” — stored value cards that customers can use to make purchases at both Dunkin’ stores and online. To encourage customers to create accounts, Dunkin’ represented that the company was using reasonable safeguards to protect customers’ personal information from loss, misuse, and unauthorized access and disclosure.

Beginning in early 2015, customer accounts were targeted in a series of “brute force attacks,” which are repeated, automated attempts to gain access to accounts, often using usernames and passwords stolen through security breaches of other unrelated websites or online services. An attacker that gained access to a customer’s Dunkin’ account could not only use DD cards registered to the account to make purchases, but could also sell the DD cards online. In a matter of months, tens of thousands of customer accounts were compromised through these attacks, and tens of thousands of dollars on customers’ DD cards were stolen.

By May 2015, Dunkin’ personnel were receiving customer reports that attackers were gaining access to their accounts. Additionally, over a period of several months during the summer of 2015, a third-party app developer for Dunkin’ repeatedly alerted the company to attackers’ ongoing attempts to log in to customer accounts, and even provided Dunkin’ with a list of 19,715 accounts that had been compromised by attackers over just a five-day period.

Yet, Dunkin’ failed to take any steps to protect these nearly 20,000 customers — or the potentially thousands more they did not know about — by notifying them of unauthorized access, resetting their account passwords to prevent further unauthorized access, or freezing their DD cards. Dunkin’ also failed to conduct any investigation into or analysis of the attacks to determine how many more customer accounts had been compromised, what customer information had been acquired, and whether customer funds had been stolen.

Moreover, following the attacks in 2015, Dunkin’ failed to implement appropriate safeguards to limit future brute force attacks through the mobile app, despite customer reports of continuing fraud on their accounts. In late 2018, a vendor notified Dunkin’ that customer accounts had again been attacked, and that the attacks had resulted in the unauthorized access of more than 300,000 Dunkin’ customer accounts, many of which had DD cards associated with them. Although Dunkin’ this time contacted impacted customers about these attacks, the company did not disclose that customer accounts had been accessed without authorization. Instead, Dunkin’ falsely represented that a third party had merely “attempted” to log in to the customers’ accounts and that the attempt may not have been successful.

The lawsuit specifically alleges that Dunkin’ violated New York’s data breach notification statute, General Business Law § 899-aa, by failing to notify consumers and New York State authorities of the 2015 data breach, and failing to accurately notify consumers of the 2018 data breach. The lawsuit also alleges that Dunkin’ violated New York’s consumer protection laws, including Executive Law § 63(12), and General Business Law §§ 349 and 350, by misrepresenting to consumers that it provided reasonable safeguards to protect customers’ personal information when they first signed up for an account. The lawsuit seeks injunctive relief, full restitution to customers, civil penalties, and other remedies.

The New York State Attorney General’s Office reminds consumers to regularly check account balances — whether using pre-paid gift cards or credit cards — for unusual activity to ensure they have not been victims of theft.

This case is being handled by Senior Enforcement Counsel Jordan Adler and Assistant Attorney General Johanna Skrzypczyk of the Bureau of Internet and Technology, under the supervision of Bureau Chief Kim A. Berger and Deputy Bureau Chief Clark P. Russell. The Bureau of Internet and Technology is overseen by Chief Deputy Attorney General for Economic Justice Christopher D’Angelo.

Source:  Attorney General James

Update:  ZDNet has Dunkin Donuts’ response.

Category: Business SectorHackOf Note

Post navigation

← OK: Guthrie Public Schools hit by ransomware attack
Two Southwestern Ontario hospitals hit by cyber attack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC
  • CISA Alert: Updated Guidance on Play Ransomware

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.