NEW YORK (AP) — Dunkin’ Donuts violated state law by not notifying almost 20,000 customers, including more than 2,000 in New York, about cyberattacks on their accounts in 2015 and inadequately warning more than 300,000 customers in 2018 about another attack, the New York state attorney general said Thursday in announcing a lawsuit.
“Dunkin’ failed to protect the security of its customers,” Attorney General Letitia James said in a statement. “And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin’ sat idly by, putting customers at risk.”
According to the lawsuit, filed in state Supreme Court in Manhattan, the company knew in 2015 that a series of attacks had been made on customers’ online accounts, with attackers able to steal money customers had stored for use at Dunkin’ stores. But it said the company didn’t inform the customers or fully investigate.
The suit also accuses Dunkin’ of keeping customers in the dark about the full extent of 2018 cyberattacks, by only intimating attempts had been made to access accounts but not that accounts had been breached.
Dunkin’ Brands Inc. strongly pushed back against James’ contention.
“There is absolutely no basis for these claims by the New York Attorney General’s Office. For more than two years, we have fully cooperated with the AG’s investigation into this matter, and we are shocked and disappointed that they chose to move ahead with this lawsuit given the lack of merit to their case,” Dunkin’ chief communications officer Karen Raskopf said in an emailed statement.
She said in connection to the 2015 incident, an investigation had been conducted and showed that no customer account had been wrongfully accessed and there was no reason to inform customers.