New York's attorney general announced Thursday a lawsuit against Dunkin' Brands for failing to notify customers that their accounts had been targeted in a series of cyberattacks, resulting in the theft of tens of thousands of dollars.
Beginning in early 2015, hackers accessed money stored on Dunkin' value cards of nearly 20,000 customers who created accounts through Dunkin's website and mobile apps. An attacker that gained access could use the card to make purchases or sell the cards online. In a matter of months, tens of thousands of dollars were stolen, the attorney general said.
The lawsuit alleges that employees at Dunkin' were aware of the attacks through customer reports by May 2015, and a third-party app developer provided Dunkin' with a list of 19,715 accounts that were hacked. However, Dunkin' did not notify the customers of the attack and did not take steps to protect the accounts such as freezing the money in the accounts or resetting account passwords, the attorney general's office said in a press release.
"Dunkin' failed to protect the security of its customers," said Attorney General Letitia James. "And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin' sat idly by, putting customers at risk. My office is committed to protecting consumer data and holding businesses accountable for implementing safe security practices."
After 2015, Dunkin' did not take any measures to stop similar attacks from happening in the future. The lawsuit also said that in 2018, one vendor told Dunkin' it was able to access over 300,000 of its accounts, many of which had stored money cards. Dunkin contacted the impacted customers then, but did not say that the accounts were accessed without authorization — just that a third party attempted to but failed to log in to accounts. Dunkin has not replaced customers' cards or refunded the money that was stolen.
Dunkin' shares were down nearly 2% in trading Thursday. The stock, which had already been losing ground, hit a low for the day after the news broke.
The company wasn't immediately available to comment.