Dunkin’ Donuts agrees to pay for ‘dangerous brew of lax security’

AG: Dunkin’ ignored warnings and refused to implement safeguards

September 16, 2020 Rob Abruzzese

Dunkin’ Donuts’ franchisor agreed to pay a $650,000 fine and refund all its customers whose online accounts were hacked, the NYS Attorney General’s Office announced on Tuesday. Photo: Google Street View

Share this:

One of Brooklyn’s most ubiquitous coffee shop chains, Dunkin’ Donuts, agreed to pay a $650,000 fine and reimburse all of its hacked customers after the franchisor for the company agreed to a settlement with New York State Attorney General Letitia James, the AG’s Office announced on Tuesday.

The settlement, which is with Dunkin’ Brands Inc., resolved a lawsuit over the company’s failure to respond to successful cyberattacks on tens of thousands of its customers’ online accounts.

“For years, Dunkin’ hid the truth and failed to protect the security of its customers, who were left paying the bill,” said Attorney General James. “It’s time to make amends and finally fill the holes in Dunkin’s’ cybersecurity. Not only will customers be reimbursed for lost funds, but we are ensuring the company’s dangerous brew of lax security and negligence comes to an end.”

As part of the settlement, Dunkin’ has to notify the customers who had their accounts hacked. The company will reset their passwords and provide refunds for unauthorized use of their stored value cards. They have also agreed to protect their customers from similar attacks in the future, follow response procedures and pay a $650,000 fine in penalties and costs.

The scam against Dunkin’ customers started in 2015 when online accounts were targeted by “credential stuffing attacks” that used usernames and passwords from breaches at other companies, according to the AG’s Office.

Specifically, thieves targeted “DD cards,” which are used to make purchases in Dunkin’ Donuts stores. The attackers would gain access to accounts with stored cards, remove the card from the account and sell it online, prosecutors said.

A third-party app developer repeatedly alerted Dunkin’ to the attacks, according to the AG’s Office, but Dunkin’ didn’t investigate the hack to see which customers had been ripped off, or whether or not they in fact had been ripped off.

Not only did Dunkin’ do nothing to protect over 20,000 customers, the AG’s Office said, but it failed to notify them or freeze their accounts and failed to implement safeguards that could have stopped the attacks, which went on for years.