Dunkin’ Donuts parent company faced legal action from the attorney general of New York, Letitia James, who penalised them $650,000 for lax cybersecurity measures. AG James also asked Dunkin’ Foods to “fill the holes in (their) cybersecurity”.
The ruling emanates from a civil lawsuit that was filed in a New York State Court in September 2019. Additionally, the court asked Dunkin’ to notify customers affected by the attacks between 2015 and 2018, reset their passwords, and provide refunds for unauthorized use of their Dunkin’-branded stored-value cards. This settlement ended with Dunkin’ neither confirming nor denying any wrongdoing.
When did the hacks occur?
Dunkin’s security has been compromised since 2015. At the time, hackers conducted automated attacks to steal thousands of dollars from customers’ accounts, which were created using the company’s app or website. In fact, at one point, hackers attacked more than 19,000 Dunkin’ accounts in a five-day period.
The global food-chain conglomerate clearly failed to safeguard and update its security infrastructure despite constant warnings. The climax occurred in 2018 when more than 300,000 Dunkin’ accounts were reportedly exploited by cyberattacks.
Dunkin’ Foods clarified that cyberattacks affected less than 1% of its Perks Loyalty members, and the hackers had no access to credit card information. “We have taken steps to make sure that any stored value cards associated with (digital customers’) accounts are protected and secure,” the company stated.