New York is suing Dunkin' Donuts over its failure to disclose a data breach in 2015 affecting nearly 20,000 people who had signed up for the company's loyalty program. The lawsuit alleges Dunkin' Donuts failed to protect its customers (PDF), and knew about the cyberattacks for years before warning the public.
In Dunkin' Brand's public notification from November, it said it learned about a hack on Oct. 31, 2018, and warned its customers a month later. New York Attorney General Letitia James said the company knew it was suffering cyberattacks as early as 2015, and violated the state's data breach notification law.
"Dunkin' failed to protect the security of its customers," James said in a statement. "And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin' sat idly by, putting customers at risk."
Dunkin' didn't respond to a request for comment.
Hackers had been targeting Dunkin' and stealing account credentials from the DD Perks loyalty program starting in early 2015, according to the lawsuit. The program allowed Dunkin' customers to make accounts and store reward points on cards. These accounts had personal information like first and last names as well as email addresses.
In February, Dunkin' disclosed another cyberattack targeting the same program, where hackers successfully stole accounts and sold the information on the dark web.
The attackers were able to steal these accounts through credential stuffing -- a method where hackers use passwords in other breaches and spam them across websites. These attacks are successful against people who re-use passwords on multiple accounts.
Dunkin' staffers had received customer complaints that their accounts were getting hacked in May 2015, according to the lawsuit. The lawsuit also alleged that a third-party app developer for Dunkin' had been warning the company about these hacks, and showed the company 19,715 accounts that were stolen over five days.
According to court documents, Dunkin' failed to provide proper security measures or even notify the public until late 2018, when more than 300,000 accounts had been hacked.