Cybercriminals’ Run on Dunkin’

  • New York AG Letitia James reached a settlement with franchisor Dunkin’ Brands, Inc. (“Dunkin’”) to resolve allegations that it failed to appropriately respond to a 2015 cyberattack on customers’ online accounts in violation of New York’s data privacy laws.
  • According to the AG’s office, beginning in 2015, Dunkin’ customers’ online accounts were repeatedly targeted and breached through automated attempts using usernames and passwords stolen from other unrelated online services. Tens of thousands of customer accounts were compromised, their Dunkin’-branded stored value cards accessed, and tens of thousands of dollars stolen from customers’ cards. The AG’s office alleged that Dunkin’ was repeatedly warned about the hacking attempts but failed to, among other things, conduct an investigation or notify customers about the security breach.
  • Under the terms of the proposed consent order, Dunkin’ will refund money stolen from customers’ stored value cards and will pay $650,000 in penalties and costs to the state. In addition, among other things, Dunkin’ will notify customers of the security breach, implement reasonable safeguards against similar cyberattacks, maintain a comprehensive data security program, and develop appropriate incident response protocols.