New York Attorney General Letitia James announced a lawsuit against Dunkin’ Brands, Inc. — franchisor of Dunkin’ Donuts — for failing to protect thousands of customers targeted in a series of cyberattacks.

The company allegedly failed to notify nearly 20,000 customers that their accounts had been compromised, even though their information and personal funds were in jeopardy, says the press release. Dunkin’ also allegedly failed to conduct an investigation into a series of attacks that would have helped it determine which other accounts had been compromised, what customer information had been acquired, and whether customer funds had been stolen, notes the release. 

“Dunkin’ failed to protect the security of its customers,” said Attorney General Letitia James. “And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin’ sat idly by, putting customers at risk. My office is committed to protecting consumer data and holding businesses accountable for implementing safe security practices.”

"Beginning in early 2015, customer accounts were targeted in a series of “brute force attacks,” which are repeated, automated attempts to gain access to accounts, often using usernames and passwords stolen through security breaches of other unrelated websites or online services. An attacker that gained access to a customer’s Dunkin’ account could not only use DD cards registered to the account to make purchases, but could also sell the DD cards online. In a matter of months, tens of thousands of customer accounts were compromised through these attacks, and tens of thousands of dollars on customers’ DD cards were stolen," says the press release. 

By May 2015, claims the release, Dunkin’ personnel were receiving customer reports that attackers were gaining access to their accounts, and over a period of several months during the summer of 2015, a third-party app developer for Dunkin’ repeatedly alerted the company to attackers’ ongoing attempts to log in to customer accounts, and even provided Dunkin’ with a list of 19,715 accounts that had been compromised by attackers over just a five-day period

"Dunkin’ failed to take any steps to protect these nearly 20,000 customers — or the potentially thousands more they did not know about — by notifying them of unauthorized access, resetting their account passwords to prevent further unauthorized access, or freezing their DD cards. Dunkin’ also failed to conduct any investigation into or analysis of the attacks to determine how many more customer accounts had been compromised, what customer information had been acquired, and whether customer funds had been stolen," says the press release. 

The lawsuit specifically alleges that Dunkin’ violated New York’s data breach notification statute, General Business Law § 899-aa, by failing to notify consumers and New York State authorities of the 2015 data breach, and failing to accurately notify consumers of the 2018 data breach. The lawsuit also alleges that Dunkin’ violated New York’s consumer protection laws, including Executive Law § 63(12), and General Business Law §§ 349 and 350, by misrepresenting to consumers that it provided reasonable safeguards to protect customers’ personal information when they first signed up for an account. The lawsuit seeks injunctive relief, full restitution to customers, civil penalties and other remedies.