Dunkin' Donuts owner settles New York cyberattack lawsuit

NEW YORK (1010 WINS) -- The company that owns Dunkin’ Donuts has agreed to settle a lawsuit claiming it failed to respond to cyberattacks that compromised thousands of customers’ online accounts, the New York attorney general’s office said Tuesday. 

New York Attorney General Letitia James sued Dunkin’ Brands, Inc. last September claiming the company "knowingly" failed to notify customers that their online accounts had been hacked or protect them from future attacks.

As part of a settlement James’ office and Dunkin’ Brands reached, the company will reach out to customers that were affected by the cyberattacks, reset their passwords and refund those whose Dunkin’ Donuts stored value cards were compromised, James said in a release on Tuesday. 

Dunkin’ Brands will also be “required to maintain safeguards to protect against similar attacks in the future, follow incident response procedures when an attack occurs, and pay $650,000 in penalties and costs to the state of New York,” her office said. 

“For years, Dunkin’ hid the truth and failed to protect the security of its customers, who were left paying the bill,” James said in a statement. “It’s time to make amends and finally fill the holes in Dunkin’s’ cybersecurity.” 

“Not only will customers be reimbursed for lost funds, but we are ensuring the company’s dangerous brew of lax security and negligence comes to an end,” she added. “My office is committed to protecting consumer data and holding all businesses accountable for implementing safe security practices.” 

Hackers started targeting Dunkin' Donuts customers’ online accounts back in 2015, James' release said. The hackers compromised “tens of thousands” of customer accounts in the span of a few months, stealing “tens of thousands of dollars” from their Dunkin’-branded stored value cards, also known as “DD cards,” according to the release. 

Dunkin’ Brands was “repeatedly alerted to attackers’ online attempts to log in to customer accounts,” but the company failed to thoroughly investigate the attacks, the release said. 

“Moreover, Dunkin’ did nothing to protect the nearly 20,000 customers that it knew had been impacted in the attacks, or the potentially thousands more they did not know about,” the release said. 

“Additionally, after learning of the attacks, Dunkin’ failed to implement appropriate safeguards to protect customers against future attacks through the Dunkin’ mobile app,” it added. “The attacks continued for years.” 

Dunkin’ Brands didn’t immediately respond to request for comment on the settlement.