New York Attorney General Sues Dunkin' Donuts Over Cyber Attacks

New York Attorney General Letitia James has filed a law suit against Dunkin' Donuts, accusing the chain of "past and ongoing fraudulent, deceptive, and unlawful practices." The law suit stems from a 2015 attack, when nearly 20,000 customers had their data compromised by hackers using credential-stuffing attacks to target their DD Perks accounts, and further attacks in late 2018, when 300,000+ accounts were compromised in a series of brute force attacks. In regard to the 2015 attack, the law suit states that "... attackers made millions of automated attempts to access customer accounts. Tens of thousands of customer accounts were compromised. Tens of thousands of dollars on customers’ stored value cards were stolen." It also says that customer complaints were received in May 2015, alleging accounts were being hacked, and that CorFire, a third-party app developer, had warned the company in June 2015 that nearly 20,000 accounts had been breached over a five-day period. However, the company didn't inform customers affected by the breaches - it wasn't until October 2018 that Dunkin' Brands told customers of the 2015 attack - and failed to adopt necessary safeguards to reduce future attacks, even after customers reported continuing fraud on their accounts. "Dunkin' failed to protect the security of its customers," James said. "(They) sat idly by, putting customers at risk." Dunkin' Brands, the parent group of Dunkin' Donuts, has denied any wrongdoing. "There is absolutely no basis for these claims by the New York Attorney General's Office," said Karen Raskopf, chief communications officer for Dunkin' Brands. "For more than two years, we have fully cooperated with the AG's investigation into this matter, and we are shocked and disappointed that they chose to move ahead with this lawsuit given the lack of merit to their case." According to Raskopf, the company found that none of the customer accounts in the 2015 attack were "wrongfully accessed", therefore there was no reason to notify customers. As for the 2018 attacks, the company told customers their accounts were hacked and accessed by passwords obtained in prior attacks. Customers had also been told to change their password. Raskopf said that the company was looking forward to proving their case in court.