New York AG Sues Dunkin’ Donuts Over Data Breach Handling

The company is alleged to have violated New York's data breach notification laws by repeatedly failing to take adequate action to safeguard consumers, or to inform them about the true extent of attacks.

by / September 27, 2019
New York Attorney General Letitia James Shutterstock/lev radin

As data breaches have become more ubiquitous, how a company handles them — its ability to perform triage, protect consumer information, and reach out to affected parties — says a lot about its cybersecurity posture. 

If a new lawsuit filed against Dunkin' Donuts has anything to say, it's that the coffee and pastry goliath may have a ways to go in finetuning its cybersecurity policies and performance. 

The suit, filed this week by the office of New York Attorney General Letitia James, accuses the company of mishandling a series of cyberattacks, the most recent of which affected over 300,000 customers — including 36,000 New Yorkers. 

Throughout 2015, millions of "brute force attacks," or hacks that use software automated to guess password or ID information, were being used to attempt entry into Dunkin' customer online and mobile app accounts, according to the lawsuit. 

Dunkin' is alleged to have violated New York's data breach notification laws by repeatedly failing to take adequate action to safeguard consumers, or to inform them about the true extent of attacks. 

During 2015, the attacks allegedly saw "tens of thousands" of customer accounts compromised, and "tens of thousands" of dollars in customer rewards stolen off their value cards, the lawsuit states. 

Despite the fact that Dunkin' had been notified of these incidents by its app developer CorFire by mid-2015, the company did not notify customers. Nor did it freeze accounts, reset passwords, or follow its own protocol for dealing with such a situation, ultimately ignoring the guidelines of its Computer and Data Security Incident Response Plan, the lawsuit alleges.   

Dunkin' did not act until another vendor contacted it again in 2018 to notify them that a new hack had affected over 300,000 customer accounts, according to the lawsuit. The company then “falsely conveyed [to customers] that a third party had 'attempted,' but failed, to log in to the customers' accounts,” according to the lawsuit.

The company's "representation to consumers that it used reasonable safeguards to protect consumers’ personal information, and the company’s statements concerning the 2018 breach, were false and misleading and violated New York’s consumer protection laws."

“Dunkin’ failed to protect the security of its customers,” said James in a statement. “And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin’ sat idly by, putting customers at risk. My office is committed to protecting consumer data and holding businesses accountable for implementing safe security practices.” 

James has made it a priority to help modernize the state's data breach laws. Earlier this year, her administration pushed for passage of the SHIELD Act, which greatly expanded breach notification requirements for companies, while also broadening the definition of what constitutes a breach. James also sought and attained a multi-state settlement with Equifax after the company's large breach.   

Dunkin’ representatives have alleged that the lawsuit is incorrect and that the company did not find evidence that customer accounts had been wrongfully accessed during the 2015 incident, according to CBS News

Lucas Ropek Staff Writer

Lucas Ropek is a staff writer for Government Technology. He has worked as a newspaper reporter and writer in Massachusetts and New York. He received his Bachelor's degree in English from Kenyon College in Ohio. He lives in Northern California.

Platforms & Programs