New York sues Dunkin' Donuts over hack affecting thousands of people

Dunkin' Donuts knew about online attacks going back to 2015, and didn’t tell the public for years, the lawsuit alleged.

Alfred Ng Senior Reporter / CNET News

Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.

See full bio

Alfred Ng

Sept. 26, 2019 9:00 a.m. PT

2 min read

Dunkin' Donuts store in Union Square in New York City — Hackers were stealing account credentials from the DD Perks loyalty program starting in early 2015, according to the lawsuit.
Michael Brochstein/SOPA Images/LightRocket via Getty Images

New York is suing Dunkin' Donuts over its failure to disclose a data breach in 2015 affecting nearly 20,000 people who had signed up for the company's loyalty program. The lawsuit alleges Dunkin' Donuts failed to protect its customers (PDF), and knew about the cyberattacks for years before warning the public.

In Dunkin' Brand's public notification from November, it said it learned about a hack on Oct. 31, 2018, and warned its customers a month later. New York Attorney General Letitia James said the company knew it was suffering cyberattacks as early as 2015, and violated the state's data breach notification law.

"Dunkin' failed to protect the security of its customers," James said in a statement. "And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin' sat idly by, putting customers at risk."

Dunkin' didn't respond to a request for comment.

Hackers had been targeting Dunkin' and stealing account credentials from the DD Perks loyalty program starting in early 2015, according to the lawsuit. The program allowed Dunkin' customers to make accounts and store reward points on cards. These accounts had personal information like first and last names as well as email addresses.

In February, Dunkin' disclosed another cyberattack targeting the same program, where hackers successfully stole accounts and sold the information on the dark web.

The attackers were able to steal these accounts through credential stuffing -- a method where hackers use passwords in other breaches and spam them across websites. These attacks are successful against people who re-use passwords on multiple accounts.

Dunkin' staffers had received customer complaints that their accounts were getting hacked in May 2015, according to the lawsuit. The lawsuit also alleged that a third-party app developer for Dunkin' had been warning the company about these hacks, and showed the company 19,715 accounts that were stolen over five days.

According to court documents, Dunkin' failed to provide proper security measures or even notify the public until late 2018, when more than 300,000 accounts had been hacked.