Dunkin' Donuts' hole in cybersecurity costs $650,000 in fines

Settles NY case after cyberattacks compromised online accounts of tens of thousands

The parent of Dunkin' Donuts on Tuesday agreed to upgrade its security protocols and pay $650,000 in fines and costs to settle a lawsuit by New York's attorney general claiming it ignored cyberattacks that compromised the online accounts of tens of thousands of customers.

Continue Reading Below

Attorney General Letitia James said Dunkin' Brands Group Inc will notify customers affected by the attacks between 2015 and 2018, reset their passwords, and provide refunds for unauthorized use of their Dunkin'-branded stored-value cards.

TickerSecurityLastChangeChange %
DNKNDUNKIN BRANDS GROUP77.32+0.13+0.17%

The settlement resolves a civil lawsuit filed last Sept. 26 in a New York state court in Manhattan, and requires a judge's approval.

Dunkin' did not admit or deny wrongdoing.

DUNKIN' TO PERMANENTLY CLOSE 800 US STORES IN 2020

The case arose after hackers began in early 2015 using previously stolen user names and passwords to conduct automated "brute force" and "credential stuffing" attacks, and steal tens of thousands of dollars from accounts created through Dunkin's website or free mobile app.

New York state Attorney General Letitia James said Dunkin' Brands Group Inc will notify customers affected by the attacks between 2015 and 2018, reset their passwords, and provide refunds for unauthorized use of their Dunkin'-branded stored value car

James said the Canton, Massachusetts-based company did nothing for years to address the compromised accounts despite repeated alerts from its own app developer, including when it identified 19,715 customers targeted over a five-day period.

DUNKIN BRANDS WEATHERS CORONAVIRUS, REINSTATES DIVIDEND

The attorney general also said Dunkin' failed to adopt safeguards against future attacks despite reports of continuing fraud. She said that came to roost in late 2018, when more than 300,000 customer accounts were accessed in new attacks.

"For years, Dunkin' hid the truth and failed to protect the security of its customers, who were left paying the bill," James said. "It's time to make amends and finally fill the holes in Dunkin's' cybersecurity."

GET FOX BUSINESS ON THE GO BY CLICKING HERE

In a separate statement, Dunkin' said the cyberattacks potentially affected less than 1% of its Perks Loyalty members, and the hackers had no access to credit card information.

"We have taken steps to make sure that any stored value cards associated with [digital customers'] accounts are protected and secure," it added.

CLICK HERE TO READ MORE ON FOX BUSINESS