Attorney General Letitia James says Dunkin’ Donuts didn’t notify customers after two massive data breaches.
New York Attorney General Letitia James is launching a lawsuit against Dunkin’ Donuts.
According to A.G. James, Dunkin’ Donuts didn’t notify its customers of a massive security breach in 2015. Hackers accessed thousands of consumer accounts, many associated with “DD” loyalty and gift cards. Massive losses ensued—an estimated 19,175 accounts were raided in a single, five-day period, with hackers pilfering gift card balances whole.
“Dunkin’ failed to protect the security of its customers,” James said in a statement. “And instead of notifying the tens of thousands impacted by those cybersecurity breaches, Dunkin’ sat idly by, putting customers at risk.”
The New York Attorney General’s Office says that Dunkin’ did nothing to let consumers know their “DD” accounts were compromised. Affected customers weren’t even prompted to reset their passwords.
Along with the 2015 breach, James is also taking the company to task for its handling of a larger cyberattack in 2018. Instead of telling customers their accounts may be compromised, Dunkin’ described the incursion as an “attempted” hack. In reality, says the Democrat & Chronicle, the attack was successful.
Between the two, James’ complaint focuses primarily on the 2015 breach.
Under New York state law, companies are required to protect consumer data and notify any and all persons affected by a potential breach.
However, Dunkin’ Donuts has denied any wrongdoing. The Democrat & Chronicle quotes a company representative as saying there’s “absolutely no basis” for James’ claim.
“There is absolutely no basis for these claims by the New York Attorney General’s Office. For more than two years, we have fully cooperated with the AG’s investigation into this matter, and we are shocked and disappointed that they chose to move ahead with this lawsuit given the lack of merit to their case,” said Dunkin’ Chief Communications Officer Karen Raskopf. “The database in question did not maintain any customer payment card information.”
Raskopf also says that, because only gift card balances were affected, there wasn’t any compelling reason to contact customers.
“The incident was brought to our attention by our then-firewall vendor, and we immediately conducted a thorough investigation,” Raskopf said. “This investigation showed that no customer’s account was wrongfully accessed, and, therefore, there was no reason to notify our customers.”
The lawsuit intends to force Dunkin’ to admit liability for any losses and reimburse its New York customers. James also wants the company to pay civil penalties.
Raskopf, though, said the company already has “robust data protection safeguards in place,” with or without the A.G.’s office interfering.
“We look forward to proving our case in court,” Raskopf added.