Dunkin’ Brands Inc. has settled a lawsuit filed by New York state stemming from a series of cyberattacks that compromised tens of thousands of customer accounts.
The lawsuit charged that that Dunkin, based in Canton, Massachusetts, violated New York state law by failing to notify consumers and New York authorities of the hacking. It also charged that it had been misrepresenting to consumers that it used reasonable safeguards to protect customers”™ personal information.
The settlement announced by state Attorney General Letitia James requires Dunkin’ to notify customers affected by the attacks, reset their passwords and provide refunds for unauthorized use of customers”™ stored value cards.
Dunkin”™ will also be required to maintain safeguards to protect against similar attacks in the future, follow required procedures if another attack occurs and pay $650,000 in penalties and costs to the state of New York.
Beginning in early 2015, customers”™ online accounts were targeted in a series of repeated, automated attempts to gain access over several months. Tens of thousands of customer accounts were compromised. Many of the customers had “DD cards,” which could be used to make purchases at Dunkin”™ stores. Tens of thousands of dollars on customers”™ DD cards were stolen.
According to James, Dunkin”™ was repeatedly alerted to what was going on by a third-party app developer. The app developer even provided Dunkin”™ with a list of nearly 20,000 accounts that had been compromised by attackers over just a sample five-day period. Yet, Dunkin”™ failed to conduct an investigation into the known attacks and to identify other customer accounts that had been compromised, determine what customer information had been stolen, or whether customer funds had been stolen.
Dunkin”™ took no action to protect customers that it knew had been impacted in the attacks or the potentially thousands more they did not know about.
“For years, Dunkin”™ hid the truth and failed to protect the security of its customers, who were left paying the bill,” James said.
The lawsuit was filed last September in the Commercial Division of State Supreme Court in New York City. The settlement is subject to court approval.
New York”™s state’s data security laws require businesses that maintain New Yorkers”™ private information must implement reasonable safeguards to protect that information and develop and implement appropriate incident response procedures, including notifying people when their private information has been compromised.
Why every restaurant should have cyber insurance.