Dunkin’ Donuts is being sued over its not-so-sweet response to holes in its cyber security.
The giant doughnut-slinging chain failed to protect thousands of customers targeted in a series of online attacks, New York State Attorney General Tish James alleged Thursday.
In the first round of hacking, in 2015, “tens of thousands of dollars” were stolen from nearly 20,000 doughnut lovers’ DD cards, which can be used to make purchases in stores and online.
Then in 2018, hackers got into about 300,000 customers’ accounts.
Dunkin’ neglected to notify or protect customers in the first round of hacking, and gave a mealy-mouthed warning after the second breach, says James.
“Dunkin’ failed to protect the security of its customers,” the AG said in a statement. “And instead of notifying the tens of thousands impacted by these cyber security breaches, Dunkin’ sat idly by, putting customers at risk. My office is committed to protecting consumer data and holding businesses accountable for implementing safe security practices.”
The lawsuit cites a state law requiring businesses to notify customers and state authorities of data breaches. Dunkin’ is also accused of violating a law against unfair trade practices.
The doughnut shop pushed back strongly against James’ accusations.
“There is absolutely no basis for these claims by the New York Attorney General’s Office. For more than two years, we have fully cooperated with the AG’s investigation into this matter, and we are shocked and disappointed that they chose to move ahead with this lawsuit given the lack of merit to their case,” spokeswoman Karen Raskopf said.
The mischief began in early 2015 when unidentified hackers did a series of “brute force attacks,” which the AG’s office described as “repeated, automated attempts to gain access to accounts, often using usernames and passwords stolen through security breaches of other unrelated websites or online services.”
The cards can only be used to buy tasty treats from Dunkin’. Hackers were able to make purchases themselves or sell the cards online.
In addition to customer complaints, Dunkin’ in summer 2015 got repeated warnings from an app developer, which provided a list of 19,715 accounts that had been hacked during just five days.
But Dunkin’ failed to warn customers, reset their passwords or freeze DD cards. It didn’t make any effort to find out how many more doughnut lovers had been targeted, either.
In late 2018, a vendor told Dunkin’ that hackers had gained unauthorized access to over 300,000 customer accounts, many of them linked to DD cards.
Dunkin’ misleadingly told customers hackers had “attempted” to log in to their accounts, when in fact they’d been accessed without authorization.
With News Wire Services