State Attorney General Letitia James has sued the franchiser of Dunkin’ Donuts for dragging its feet in dealing with cyberattacks that compromised thousands of customer online accounts.
According to the attorney general’s lawsuit, which she filed Thursday, Dunkin Brands Inc. neglected to notify the owners of accounts, which affect store value cards used to purchase goods online and in stores using the company’s DD cards, that the company knew were affected by “brute force attacks,” or repeated, automatic attempts to gain access to accounts, despite incidents occurring over multiple months in 2015. The company also failed to investigate, determine whether other customers were attacked or implement other safeguard measures such as freezing affected accounts or having customers change their passwords.
Reports of hacked customer accounts grew through early 2018, and in March of that year, the company finally recruited a security vendor to help block the attacks. To this date, however, Dunkin’ has “yet to conduct an appropriate investigation into the reported attacks or take appropriate action to protect its customers,” according to the litigation.
Attackers launched millions of automated attempts to access customer accounts in 2015, and were successful in stealing tens of thousands of dollars on customer stored value cards, referred as DD cards from tens of thousands of accounts. Dunkin’ employees first took notice of the hacks in May. The developer behind its smartphone app, CorFire, discovered the attacks itself in June, reported to Dunkin’ multiple times throughout the summer of its research into the hacks and tried to mitigate the assault.
In August, the developer notified the company that in a five-day sample period, hackers successfully infiltrated 19,715 accounts, at least 2,200 of which belonged to New Yorkers.
Despite receiving reports and presentations, Dunkin’ failed to investigate, notify the owners of affected accounts or attempt to protect them, according to the lawsuit. The company also failed to implement CorFire’s recommended protections, according to the lawsuit. Cyberattacks against customer accounts grew over the years. The number of affected accounts each month in 2018 were three or four times more than in 2015, according to the lawsuit, with 950 customers reporting their accounts had been compromised in January 2018 alone.
Dunkin’ has also been accused of misleading customers about the cyberattacks. When thousands of shoppers notified the company, customer service personnel told customers “their own actions may have led to the fraudulent activity,” rather than the series of brute force automated attacks that actually afflicted the accounts. In the fall of 2018, hackers accessed more than 300,000 customer accounts, including more than 36,000 New Yorkers’ accounts, but instead of telling customers’ their accounts were accessed, Dunkin’ told them the attackers “attempted” or “may have attempted to log in” to their accounts, according to the lawsuit.
By failing to notify customers and state authorities of the 2015 attacks and provide accurate information about the 2018 attacks, the attorney general has accused Dunkin of violating General Business Law, and seeks restitution for customers, civil penalties, accounting of the money lost as a result of the attacks and other necessary equitable relief.