ALBANI — Dunkin’ Donuts failed to notify thousands of customers of a breach in their accounts in 2015, resulting in the theft of tens of thousands of dollars in gift cards, according to New York Attorney General Letitia James.
James filed a lawsuit Thursday accusing Dunkin’ Brands Inc. , the franchisor of the famous cake and coffee chain, has failed to properly protect its customers’ accounts, which stores money from “DD” cards that can be used to purchase merchandise in stores.
The lawsuit, filed with the state Supreme Court in Manhattan, alleges that Duncan never notified customers of the 2015 breach, even after withdrawing funds from their accounts.
The hack affected at least 19,175 accounts in a single five-day period, with James’s office indicating that it may have infected thousands of other accounts that the company was not aware of.
“Dunkin’ has failed to protect the security of its customers,” James said in a statement. “Instead of notifying the tens of thousands affected by these cybersecurity breaches, Duncan sat idly by, putting customers at risk.”
Duncan denies violating New York law
In a statement, Duncan vehemently denied any wrongdoing, saying there was “absolutely no basis” for James’ allegation.
The company said it had fully cooperated with the attorney general’s office’s investigation and was “shocked and disappointed” that the state had moved forward with the lawsuit.
“There is absolutely no basis for these allegations by the New York Attorney General’s Office. For over two years, we have fully cooperated with the AG’s investigation into this matter, and we are shocked and disappointed that they chose to proceed with this lawsuit due to the lack of merit in their case.
“The database in question does not contain any information on customer payment cards,” Dunkin’ Brands chief communications officer Karen Raskopf said in a statement.
“The incident was brought to our attention by the firewall vendor at the time, and we immediately conducted a thorough investigation. This investigation showed that no customer account was improperly accessed and, therefore, there was no reason to notify our customers.”
James’ lawsuit accuses the chain of violating New York’s cybersecurity laws, which require companies to protect customer data and notify them of any breaches.
It focuses heavily on the 2015 hack, a “brute force” attack where hackers use automated programs to repeatedly attempt to gain access to accounts, continuing until they succeed.
The accounts in question belong to customers who registered their DD cards online or through a mobile app, allowing them to store their value in an online account and use them at Dunkin’ stores across the country.
Dunkin’ lawsuit got it wrong for 2018 breach too
The lawsuit also misses the company’s handling of a post-2018 breach, which was even larger, affecting nearly 300,000 DD Perks customers.
Dunkin notified its customers of the 2018 attack, but told them that the attacker may have “tried” to gain access to their accounts – when, in fact, the attacker gained access to the accounts.
The lawsuit seeks to compel Dunkin to make a full accounting of the 2015 breach and pay its losses and damages to its New York clients.
It also demands the payment of civil fines to the state.
James filed the lawsuit in the State Supreme Court in Manhattan.
Raskopf, a Dunkin spokeswoman, said the company has “robust data protection measures in place” and takes the security of its customers’ data very seriously.
“We look forward to making our case in court,” she said.