New York Attorney General Letitia James last week announced a lawsuit against Dunkin’ Brands, Inc. — franchisor of Dunkin’ Donuts — for allegedly failing to protect thousands of customers targeted in a series of cyberattacks.
According to James, Dunkin failed to notify nearly 20,000 customers that their accounts had been compromised, even though their information and personal funds were in jeopardy. Dunkin’ also failed to conduct an investigation into a series of attacks that would have helped it determine which other accounts had been compromised, what customer information had been acquired, and whether customer funds had been stolen.
“Dunkin’ failed to protect the security of its customers,” said James. “And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin’ sat idly by, putting customers at risk. My office is committed to protecting consumer data and holding businesses accountable for implementing safe security practices.”
The lawsuit involves accounts of the company’s customers created through the Dunkin’ website or free mobile app for Android and iOS devices. These accounts enable customers to manage “DD cards” — stored value cards that customers can use to make purchases at both Dunkin’ stores and online. To encourage customers to create accounts, Dunkin’ represented that the company was using reasonable safeguards to protect customers’ personal information from loss, misuse, and unauthorized access and disclosure.
Beginning in early 2015, customer accounts were targeted in a series of “brute force attacks,” which are repeated, automated attempts to gain access to accounts, often using usernames and passwords stolen through security breaches of other unrelated websites or online services. An attacker that gained access to a customer’s Dunkin’ account could not only use DD cards registered to the account to make purchases, but could also sell the DD cards online. In a matter of months, tens of thousands of customer accounts were compromised through these attacks, and tens of thousands of dollars on customers’ DD cards were stolen.
By May 2015, Dunkin’ personnel were receiving customer reports that attackers were gaining access to their accounts. In addition, over a period of several months during the summer of 2015, a third-party app developer for Dunkin’ repeatedly alerted the company to attackers’ ongoing attempts to log in to customer accounts, and even provided Dunkin’ with a list of 19,715 accounts that had been compromised by attackers over just a five-day period.
Yet, Dunkin’ failed to take any steps to protect these nearly 20,000 customers — or the potentially thousands more they did not know about — by notifying them of unauthorized access, resetting their account passwords to prevent further unauthorized access, or freezing their DD cards. Dunkin’ also failed to conduct any investigation into or analysis of the attacks to determine how many more customer accounts had been compromised, what customer information had been acquired, and whether customer funds had been stolen.
Moreover, following the attacks in 2015, Dunkin’ failed to implement appropriate safeguards to limit future brute force attacks through the mobile app, despite customer reports of continuing fraud on their accounts. In late 2018, a vendor notified Dunkin’ that customer accounts had again been attacked, and that the attacks had resulted in the unauthorized access of more than 300,000 Dunkin’ customer accounts, many of which had DD cards associated with them. Although Dunkin’ this time contacted impacted customers about these attacks, the company did not disclose that customer accounts had been accessed without authorization. Instead, Dunkin’ falsely represented that a third party had merely “attempted” to log in to the customers’ accounts and that the attempt may not have been successful.
The lawsuit specifically alleges that Dunkin’ violated New York’s data breach notification statute, General Business Law § 899-aa, by failing to notify consumers and New York State authorities of the 2015 data breach, and failing to accurately notify consumers of the 2018 data breach. The lawsuit also alleges that Dunkin’ violated New York’s consumer protection laws, including Executive Law § 63(12), and General Business Law §§ 349 and 350, by misrepresenting to consumers that it provided reasonable safeguards to protect customers’ personal information when they first signed up for an account. The lawsuit seeks injunctive relief, full restitution to customers, civil penalties, and other remedies.