The parent of Dunkin' Donuts on Tuesday agreed to upgrade its security protocols and pay $650,000 in fines and costs to settle a lawsuit by New York's attorney general claiming it ignored cyberattacks that compromised the online accounts of tens of thousands of customers.
Attorney General Letitia James said Dunkin' Brands Group Inc will notify customers affected by the attacks between 2015 and 2018, reset their passwords, and provide refunds for unauthorized use of their Dunkin'-branded stored-value cards.
The settlement resolves a civil lawsuit filed last Sept. 26 in a New York state court in Manhattan, and requires a judge's approval.
Dunkin' did not admit or deny wrongdoing.
The case arose after hackers began in early 2015 using previously stolen user names and passwords to conduct automated "brute force" and "credential stuffing" attacks, and steal tens of thousands of dollars from accounts created through Dunkin's website or free mobile app.
James said the Canton, Massachusetts-based company did nothing for years to address the compromised accounts despite repeated alerts from its own app developer, including when it identified 19,715 customers targeted over a five-day period.
The attorney general also said Dunkin' failed to adopt safeguards against future attacks despite reports of continuing fraud. She said that came to roost in late 2018, when more than 300,000 customer accounts were accessed in new attacks.
"For years, Dunkin' hid the truth and failed to protect the security of its customers, who were left paying the bill," James said. "It's time to make amends and finally fill the holes in Dunkin's' cybersecurity."
In a separate statement, Dunkin' said the cyberattacks potentially affected less than 1% of its Perks Loyalty members, and the hackers had no access to credit card information.
"We have taken steps to make sure that any stored value cards associated with [digital customers'] accounts are protected and secure," it added.