Skip to main content
You have permission to edit this article.
Dunkin' settles NY cyberattack suit

Dunkin' settles NY cyberattack suit

  • Updated
DIY Rape Kits

New York Attorney General Letitia James speaks during a news conference in New York in June.

ALBANY — New York reached a settlement Tuesday with Dunkin’ Brands, Inc. over a lawsuit that accused the company of failing to adequately respond to cyberattacks since 2015 that compromised customers’ online accounts.

The settlement with Dunkin' Donuts' parent company requires it to notify customers impacted by the attacks, reset those customers’ passwords and provide refunds for any unauthorized use of customers’ stored value cards.

The Canton, Mass.-based company will also need to maintain safeguards to protect against similar attacks and pay $650,000 in penalties to New York, Attorney General Leticia James announced.

“For years, Dunkin’ hid the truth and failed to protect the security of its customers, who were left paying the bill,” James said in a statement.

The state Attorney General's Office said the online accounts of Dunkin’ customers were first targeted in early 2015 in a series of “credential stuffing attacks” — which were automated attempts to gain access to accounts using usernames and passwords stolen through security breaches of other unrelated websites.

The cyberattacks, which went on through 2018, led to tens of thousands of customer accounts being compromised within months, mainly Dunkin’-branded stored value cards known as “DD cards” that could be used to make purchases at Dunkin’ stores, the state said.

There was no immediate comment from Dunkin' on the settlement.

Under the terms of the settlement, Dunkin’ will need to:

• Reset the password of each New York customer impacted in an attack who had a "DD card" registered to their account at the time.

• Notify the customers that their accounts were, or may have been, accessed.

• Tell the customers that they are eligible for a refund for any fraudulent activity that resulted from an attack.

Customers will have 90 days to contact Dunkin’ by calling (800) 447-0013 or by emailing to request copies of their account records and report fraudulent activity.

Jeremy Boyer can be reached at (315) 282-2231 or Follow him on Twitter @CitizenBoyer


Get Election 2020 & Politics updates in your inbox!

* I understand and agree that registration on or use of this site constitutes agreement to its user agreement and privacy policy.

Related to this story

Most Popular

Get up-to-the-minute news sent straight to your device.


News Alerts

Breaking News