NY files suit against Dunkin' Donuts over security breaches

NY files suit against Dunkin' Donuts over security breaches
© Getty Images

New York's attorney general has filed suit against Dunkin' Donuts over the company's alleged failure to notify its customers of a cyberattack compromising systems that allowed users to store money digitally for use at the chain's stores.

Letitia Jones (D) said in a press release Thursday that the donut chain "failed to protect the security of its customers," notify them that their money was at risk and failed to conduct an investigation of the attack.

ADVERTISEMENT

“Dunkin’ failed to protect the security of its customers,” said James. “And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin’ sat idly by, putting customers at risk. My office is committed to protecting consumer data and holding businesses accountable for implementing safe security practices.”

The press release goes on to allege that after a 2015 cyberattack compromised the accounts of nearly 20,000 customers, including about 2,000 in New York, the company "failed to take any steps to protect these nearly 20,000 customers — or the potentially thousands more they did not know about — by notifying them of unauthorized access, resetting their account passwords to prevent further unauthorized access, or freezing their DD cards."

A second data breach in 2018 was alerted to customers, the complaint continues, but New York authorities alleged that Dunkin' falsely characterized the 2018 breach as a third-party vendor attempting to access customer information.

Dunkin's supposed failure to notify customers and state authorities, James alleged in the press release, violated state laws requiring citizens who have private information or funds compromised in a data breach be "accurately" notified of the problem.

The company sharply denied James's allegations in a statement obtained by The Associated Press, arguing that Dunkin' officials had cooperated with the attorney general's investigation into whether it had properly notified customers about the breaches.

“There is absolutely no basis for these claims by the New York Attorney General’s Office. For more than two years, we have fully cooperated with the AG’s investigation into this matter, and we are shocked and disappointed that they chose to move ahead with this lawsuit given the lack of merit to their case,” said a Dunkin' spokesperson.