The attorney general of New York has filed a lawsuit against Dunkin’ Brands over a cyberattack that saw the theft of tens of thousands of dollars from customer value cards.
Customers were targeted in a series of cyberattacks, and the donut company failed to notify them, CNBC reported Thursday (Sept. 26). The hacks started early in 2015, and money stored on almost 20,000 customers’ value cards was compromised. The attacker was able to either use the cards for online purchases or sell them online.
In just a few months, tens of thousands of dollars were stolen. The lawsuit says Dunkin’ was aware of the hacks as early as May of 2015, and it was given a list of all 19,715 accounts that were compromised, but it didn’t notify customers.
Dunkin’ is also accused of not taking the correct steps to shield accounts from the attack, such as freezing the money or resetting passwords.
“Dunkin’ failed to protect the security of its customers,” Attorney General Letitia James said in a news release. “And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin’ sat idly by, putting customers at risk. My office is committed to protecting consumer data and holding businesses accountable for implementing safe security practices.”
The lawsuit also alleges that in 2018, Dunkin’ was informed about a vendor that could access 300,000 accounts, many with money attached. Dunkin’ notified customers, but it didn’t say that the accounts had been accessed without permission, only that a third party tried to log in in but failed. The stolen money was not reimbursed, nor have the cards been replaced.
Dunkin’ shares dropped 2 percent on Thursday following the news.
“The New York State Attorney General’s Office reminds consumers to regularly check account balances — whether using pre-paid gift cards or credit cards — for unusual activity to ensure they have not been victims of theft,” the release said.