[BreachExchange] New York sues Dunkin' Donuts over cyberattacks

[Destry Winant]

https://www.reuters.com/article/us-dunkin-brnds-new-york/new-york-sues-dunkin-donuts-over-cyberattacks-idUSKBN1WB2HR

NEW YORK (Reuters) - The parent of Dunkin’ Donuts was sued on Thursday
by New York Attorney General Letitia James, who accused the chain of
failing to protect hundreds of thousands of customers whose accounts
were targeted in a series of “brute force” cyberattacks.

James said Dunkin’ Brands Group Inc did nothing in 2015 to protect
19,715 customers whose accounts had been targeted in a single five-day
period, after learning about the problem from its own app developer.

She said the Canton, Massachusetts-based company failed to notify
affected customers of the breaches, reset their passwords or freeze
their Dunkin’ Donuts cards.

James also said Dunkin’ failed to adopt appropriate safeguards to
limit future attacks, despite customer reports of continuing fraud on
their accounts.

That failure came to roost in late 2018 when more than 300,000
customer accounts were accessed in new attacks, James said in the
lawsuit, which concerns accounts created through Dunkin’s website or
free mobile app.

“Dunkin’ failed to protect the security of its customers,” James said
in a statement. “Dunkin’ sat idly by, putting customers at risk.”

The company did not immediately respond to a request for comment.

James’ lawsuit filed in a New York state court in Manhattan seeks
civil fines, restitution and other remedies for alleged violations of
state consumer protection and business laws.

“Dunkin’s representation to consumers that it used reasonable
safeguards to protect consumers’ personal information, and the
company’s statements concerning the 2018 breach, were false and
misleading,” the complaint said.