Dunkin’ was aware of a series of online attacks on customer accounts as early as May 2015 but didn’t conduct an appropriate investigation into them despite having received alerts from the company’s app developer, Attorney General Letitia James said in the lawsuit Thursday. The lawsuit also notes a 2018 attack that was disclosed, and claims the company played down the hacking incident.
Dunkin’ said Thursday that it didn’t notify customers of the 2015 incident because the customer database didn’t contain payment details and the hackers were unsuccessful in their attempts to access it. The company said it will challenge the attorney general’s claims in court.
The attorney general said the accounts under attack were linked to the company’s value, or DD, cards, from which tens of thousands of dollars were stolen in 2015. She said Dunkin’ didn’t attempt to freeze value cards associated with the accounts. The company said it doesn’t believe any money was stolen.
An investigation could have determined which accounts had been compromised, what information had been accessed and whether customers funds had been stolen, according to the lawsuit filed with the Supreme Court of the State of New York.
“Dunkin’ failed to protect the security of its customers,” Ms. James said in prepared remarks. “And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin’ sat idly by, putting customers at risk.”
A vendor also notified Dunkin’ in late 2018 that a series of attacks had led to unauthorized access of more than 300,000 customer accounts, the lawsuit said. The company informed the affected customers of the attacks, but said they may have been unsuccessful, the lawsuit said.
“There is absolutely no basis for these claims by the New York Attorney General’s Office,” Dunkin’ spokeswoman Karen Raskopf said in a statement.
“For more than two years, we have fully cooperated with the AG’s investigation into this matter, and we are shocked and disappointed that they chose to move ahead with this lawsuit given the lack of merit to their case.”
The attorney general’s office said it is seeking civil penalties for Dunkin’ and that the company pay damages to consumers. At least 2,200 of the hacked accounts in 2015 belonged to New York residents, the lawsuit said, attributing the findings to Dunkin’s app developer, CorFire.