New York state is suing Dunkin' Brands, parent company of the coffee chain, for allegedly failing to warn hundreds of thousands of customers affected in two separate cyber breaches in 2015 and 2018.
According to New York Attorney General Letitia James, Dunkin' in 2015 failed to notify nearly 20,000 customers whose online accounts were targeted by criminals in a series of attacks. Hackers reportedly hoped to gain access to Dunkin' mobile app or online accounts, which allowed customers to manage their stored-value cards and make purchases in the chain's stores and online.
The complaint said tens of thousands of dollars were stolen from customer cards. "Dunkin' failed to protect the security of its customers," James said in a statement. "And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin' sat idly by, putting customers at risk."
According to the attorney general's office, Dunkin' did not notify customers about breached accounts, nor did it reset passwords or freeze accounts. The coffee company also allegedly failed to conduct a thorough investigation, including determining whether customer funds were stolen or what information was acquired.
New York prosecutors also accused Dunkin' of keeping more than 300,000 customers in the dark about the full extent of the 2018 cyberattack. The coffee franchise allegedly notified impacted customers, but made it seem as though a hack was "attempted" on their account, not that they were successful. the suit alleged.
On Thursday, a Dunkin' spokeswoman in a statement dismissed the claim that the company didn't conduct a thorough investigation into the 2015 cyberattack.
"There is absolutely no basis for these claims by the New York Attorney General's Office," Karen Raskopf, chief communications officer at Dunkin', said in a statement sent to CBS MoneyWatch. "For more than two years, we have fully cooperated with the AG's investigation into this matter, and we are shocked and disappointed that they chose to move ahead with this lawsuit given the lack of merit to their case."
Raskopf said the company found that none of the customer accounts were "wrongfully accessed" in the 2015 attack. "Therefore, there was no reason to notify our customers," she added.
Regarding the 2018 hack, Raskopf said the company told impacted customers that their Dunkin' accounts were breached and that hackers had used passwords obtained in prior attacks to access those accounts. She also said Dunkin' required customers to change their password.