IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

New York AG Sues Dunkin’ Donuts Over Data Breach Handling

The company is alleged to have violated New York's data breach notification laws by repeatedly failing to take adequate action to safeguard consumers, or to inform them about the true extent of attacks.

As data breaches have become more ubiquitous, how a company handles them — its ability to perform triage, protect consumer information, and reach out to affected parties — says a lot about its cybersecurity posture. 

If a new lawsuit filed against Dunkin' Donuts has anything to say, it's that the coffee and pastry goliath may have a ways to go in finetuning its cybersecurity policies and performance. 

The suit, filed this week by the office of New York Attorney General Letitia James, accuses the company of mishandling a series of cyberattacks, the most recent of which affected over 300,000 customers — including 36,000 New Yorkers. 

Throughout 2015, millions of "brute force attacks," or hacks that use software automated to guess password or ID information, were being used to attempt entry into Dunkin' customer online and mobile app accounts, according to the lawsuit. 

Dunkin' is alleged to have violated New York's data breach notification laws by repeatedly failing to take adequate action to safeguard consumers, or to inform them about the true extent of attacks. 

During 2015, the attacks allegedly saw "tens of thousands" of customer accounts compromised, and "tens of thousands" of dollars in customer rewards stolen off their value cards, the lawsuit states. 

Despite the fact that Dunkin' had been notified of these incidents by its app developer CorFire by mid-2015, the company did not notify customers. Nor did it freeze accounts, reset passwords, or follow its own protocol for dealing with such a situation, ultimately ignoring the guidelines of its Computer and Data Security Incident Response Plan, the lawsuit alleges.   

Dunkin' did not act until another vendor contacted it again in 2018 to notify them that a new hack had affected over 300,000 customer accounts, according to the lawsuit. The company then “falsely conveyed [to customers] that a third party had 'attempted,' but failed, to log in to the customers' accounts,” according to the lawsuit.

The company's "representation to consumers that it used reasonable safeguards to protect consumers’ personal information, and the company’s statements concerning the 2018 breach, were false and misleading and violated New York’s consumer protection laws."

“Dunkin’ failed to protect the security of its customers,” said James in a statement. “And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin’ sat idly by, putting customers at risk. My office is committed to protecting consumer data and holding businesses accountable for implementing safe security practices.” 

James has made it a priority to help modernize the state's data breach laws. Earlier this year, her administration pushed for passage of the SHIELD Act, which greatly expanded breach notification requirements for companies, while also broadening the definition of what constitutes a breach. James also sought and attained a multi-state settlement with Equifax after the company's large breach.   

Dunkin’ representatives have alleged that the lawsuit is incorrect and that the company did not find evidence that customer accounts had been wrongfully accessed during the 2015 incident, according to CBS News

Lucas Ropek is a former staff writer for Government Technology.
Special Projects
Sponsored Articles
  • Sponsored
    Smart cities could transform urban living for the better. However, in order to mitigate the risks of cyber threats that can be exacerbated by inadequately secured and mobile edge computing (MEC) technologies, government officials should be aware of smart cities security concerns associated with their supporting infrastructure.
  • Sponsored
    How the convergence of security and networking is accelerating government agencies journey to the cloud.
  • Sponsored
    Microsoft Teams quickly became the business application of choice as state and local governments raced to equip remote teams and maintain business continuity during the COVID-19 lockdown. But in the rush to deploy Teams, many organizations overlook, ignore or fail to anticipate some of the administrative hurdles to successful adoption. As more organizations have matured their use of Teams, a set of lessons learned has emerged to help agencies ensure a successful Teams rollout – or correct course on existing implementations.
  • Sponsored
    Five Key Criteria for Selecting the Right Technology Solution for Communications and Notifications