MANHATTAN (CN) — Dunkin’ Donuts’ failure to notify thousands of customers that a cyberattack had compromised their accounts sparked a lawsuit Thursday from the New York attorney general.
Attorney General Letitia James does not specify when in 2015 the online attacks occurred but says Dunkin’ Donuts became aware of them “at least as early as May” that year.
The attacks targeted Dunkin’-branded customer accounts that the doughnut giant has offered for at least a decade. Dunkin’ offers an app for customers to manage these DD Cards, including adding passwords, credit card numbers and other personal information.
James says Dunkin’ got a list of compromised accounts in May 2015 from the app developer, identified in the complaint as SK C&C USA dba CorFire.
Though this list showed nearly 20,000 customers were compromised, Dunkin’ neither notified any customers of the breach nor opened any kind of meaningful investigation.
“Instead of disclosing that customer accounts had been targeted in brute force attacks, Dunkin’ customer service personnel told many customers that the customers’ own actions may have led to the fraudulent activity,” the complaint says. “In particular, customer service personnel advised many customers that the fraudulent activity could have been the result of a ‘phishing’ attack.”
But James says Dunkin’ couldn’t ignore the issue as the number of customers reporting breach-related account issues grew larger each month.
“In January 2018 alone, more than 950 customers reported that their account had been compromised,” the complaint states. “During this time period, Dunkin’ failed to implement appropriate safeguards to limit brute force attacks through the mobile app.”
James says Dunkin’ failure to implement safeguards that would prevent future attacks came back to bit it last year. This time, a series of brute-force attacks in October and November 2018 exposed the account details of more than 300,000 customers.
Dunkin’ again failed to investigate, according to the complaint, which says customers received a misleading message from Dunkin’ about an “attempted” third-party log-in.
“Even after more than four years, Dunkin’ has yet to conduct an appropriate investigation into the reported attacks or take appropriate action to protect its customers,” the complaint states.
The complaint adds that Dunkin’ replaced the compromised DD Cards but has not reimbursed customers for stolen funds unless the customer proactively complained about the fraud.
Dunkin’ spokeswoman Karen Raskopf emphasized that Dunkin’ takes the security of its customers seriously, and looks forward to proving that in court.
“There is absolutely no basis for these claims by the New York Attorney General’s Office,” said Raskopf in a statement. “For more than two years, we have fully cooperated with the AG’s investigation into this matter, and we are shocked and disappointed that they chose to move ahead with this lawsuit given the lack of merit to their case.”