Dunkin’ calls data breach lawsuit unfounded, says attorney general lacks ‘merit’ in case

Dunkin’ Brands, Inc., the parent of the donut and coffee chain formerly known as Dunkin' Donuts, is being sued after a series of cyberattacks allegedly cost its customers tens of thousands of dollars.

Continue Reading Below

Nearly 20,000 customers' accounts were compromised in attacks in 2015 and 300,000 accounts were affected in  2018, the New York Attorney General’s office said in a press release Thursday.

The lawsuit also claims that Dunkin’ did not alert customers, nor did it investigate the attacks.

However, the company disputes those claims.

“For more than two years, we have fully cooperated with the AG’s investigation into this matter, and we are shocked and disappointed that they chose to move ahead with this lawsuit given the lack of merit to their case,” Karen Raskopf, Dunkin’ Brands’ chief communications officer said in an emailed statement to FOX Business.

According to the attorney general’s office, customers’ “DD card” accounts were targeted in early 2015 in several repeated attacks. Hackers were able to access tens of thousands of accounts, where they could not only use those DD cards, but could also sell them online, the AG’s press release said.

“In a matter of months, tens of thousands of customer accounts were compromised through these attacks, and tens of thousands of dollars on customers’ DD cards were stolen,” the release alleged.

Despite reports from customers and Dunkin’s third-party app developer that at least 19,715 accounts had allegedly been hacked, the New York attorney general’s office claims that Dunkin’ didn’t notify customers, change their passwords or freeze their accounts.

TickerSecurityLastChangeChange %

The company claims, however, that the 2015 attempts to hack into Dunkin’ Donuts accounts were unsuccessful.

“The investigation centered on a credential stuffing incident that occurred in 2015, in which third parties unsuccessfully tried to access approximately 20,000 Dunkin’ app accounts,” Raskopf said. “The database in question did not contain any customer payment card information.”

“The incident was brought to our attention by our then-firewall vendor, and we immediately conducted a thorough investigation,” Raskopf added. “This investigation showed that no customer’s account was wrongfully accessed, and, therefore, there was no reason to notify our customers.”

However, according to the attorney general, there was another round of attacks in 2018.

During that attack, more than 300,000 accounts had reportedly been hacked into. And though Dunkin’ reportedly told customers that attackers had “attempted” to access their accounts, the company allegedly did not say that some accounts had actually been hacked into, the attorney general claimed.

The lawsuit claims that because Dunkin’ didn’t notify customers about the 2015 attacks and didn’t accurately describe the 2018 attacks, the company allegedly violated the New York data breach notification statute, the press release said.


“Dunkin’ failed to protect the security of its customers,” New York Attorney General Letitia James said in a statement. “And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin’ sat idly by, putting customers at risk.”

Meanwhile, Raskopf added: “We take the security of our customers’ data seriously and have robust data protection safeguards in place. We look forward to proving our case in court.”