New York state officials have filed a lawsuit against the company behind the Dunkin' Donuts franchise for failing to notify customers of a 2015 security breach, among many other things.
Dunkin' Brands, the company, told ZDNet there's "absolutely no basis" for the lawsuit, and that they were "shocked and disappointed" by the New York Attorney General's Office decision to move forward with litigation.
At the center of the lawsuit is DD Perks, the company's online accounts. Dunkin' customers can register these accounts through the Dunkin' Donuts websites and mobile apps. They can be used to store rewards points on so-called "DD cards," which they can later use to obtain discounts at Dunkin' locations.
According to a lawsuit filed by the New York Attorney General's Office yesterday, Dunkin' had failed to act on several occasions in regards to investigating cyber-attacks aimed at these accounts and also failed to notify customers of account breaches.
The lawsuit [PDF] alleges the following:
ZDNet reported the 2018 attack in late November last year when Dunkin' sent out a data breach notification letter. At the time, the company told ZDNet that the incident was a credential stuffing attack during which hackers used usernames and passwords leaked from breaches at other companies to gain access to Dunkin' accounts.
In line with the New York state lawsuit, the breach notification letter described the attack as attempts to log into accounts, and that it "was successful in stopping most of these attempts," but not all.
Furthermore, the company suffered another credential stuffing attack in February 2019.
But in an email to ZDNet, Dunkin' disputed all the claims made by New York state officials in their lawsuit.
"There is absolutely no basis for these claims by the New York Attorney General's Office," a Dunkin' spokesperson told ZDNet. "For more than two years, we have fully cooperated with the AG's investigation into this matter, and we are shocked and disappointed that they chose to move ahead with this lawsuit given the lack of merit to their case.
"The investigation centered on a credential stuffing incident that occurred in 2015, in which third parties unsuccessfully tried to access approximately 20,000 Dunkin' app accounts. The database in question did not contain any customer payment card information," it added.
"The incident was brought to our attention by our then-firewall vendor, and we immediately conducted a thorough investigation. This investigation showed that no customer's account was wrongfully accessed, and, therefore, there was no reason to notify our customers.
"We take the security of our customers' data seriously and have robust data protection safeguards in place," Dunkin' said. "We look forward to proving our case in court."