N.Y. AG alleges Dunkin’ mishandled breaches, company denies allegations

THE NEW YORK Attorney General has filed a lawsuit against Dunkin' Brands alleging the mishandling of stored-value card account breaches. Dunkin' said third-party attempts to access the accounts were unsuccessful and the breaches never happened. / COURTESY DUNKIN' BRANDS GROUP INC.
THE NEW YORK Attorney General has filed a lawsuit against Dunkin' Brands alleging the mishandling of stored-value card account breaches. Dunkin' said third-party attempts to access the accounts were unsuccessful and the breaches never happened. / COURTESY DUNKIN' BRANDS GROUP INC.

PROVIDENCE – N.Y. Attorney General Letitia James has filed a lawsuit against Dunkin’ Brands Inc. alleging the company failed to adequately address breaches into customers’ reloadable stored value cards, called DD Cards.

The lawsuit alleges that following a series of “brute force” account breaches through the Dunkin’ website, Dunkin’ “failed to conduct even the most basic investigation” into account breaches.

On Thursday, Dunkin’ acknowledged there were third-party attempts to log into accounts but said those attempts were unsuccessful.

Meanwhile, the lawsuit claims that hackers accessed the accounts by transmitting customer email address and password combinations to Dunkin’s systems millions of times, resulting in compromised accounts and the theft of tens of thousands of dollars from those accounts.

- Advertisement -

“There is absolutely no basis for these claims by the New York Attorney General’s Office. For more than two years, we have fully cooperated with the AG’s investigation into this matter and we are shocked and disappointed that they chose to move ahead with this lawsuit given the lack of merit to their case,” said Karen Raskopf, chief communications officer for Dunkin’ Brands, in a statement.

The lawsuit claims that with access to the account, hackers could spend money on the cards, access customers’ names, DD Card numbers and personal identification numbers, as well as sell customers’ DD Cards online. The lawsuit alleges that access also allowed the hackers to access other account information that could be incorporated into future attacks, such as phishing campaigns.

“The investigation centered on a credential stuffing incident that occurred in 2015, in which third parties unsuccessfully tried to access approximately 20,000 Dunkin’ app accounts,” continued Raskopf. “The database in question did not contain any customer payment card information. The incident was brought to our attention by our then-firewall vendor, and we immediately conducted a thorough investigation. This investigation showed that no customer’s account was wrongfully accessed, and, therefore, there was no reason to notify our customers.”

The lawsuit alleges that between 2015 and 2016, thousands of customers contacted Dunkin’ to report fraudulent activity associated with their DD Card accounts, which the lawsuit says were related to account breaches.

According to allegations in the lawsuit, the company was alerted to the purported breaches by CorFire, Dunkin’s app developer. The lawsuit also includes allegations of deceptive business practices, false advertising related to information provided to alleged victims of hacking and misrepresentation of its data security practices and procedures.

The company disagreed with those allegations as well.

“We take the security of our customers’ data seriously and have robust data protection safeguards in place,” said Raskopf. “We look forward to proving our case in court.”

Chris Bergenheim is the PBN web editor. You may reach him at Bergenheim@PBN.com.

No posts to display