Filling in the Holes: Dunkin Settles Breach Allegations with NYAG

Kelley Drye & Warren LLP

On Tuesday, the New York Attorney General Letitia James announced a settlement with Dunkin’ Brands, Inc. over allegations that the company failed to adequately respond to years of cyberattacks that compromised customers’ online accounts.

According to the lawsuit, Dunkin’ customers with “DD Perks” accounts were first targeted in early 2015 in a series of “credential stuffing attacks” — which were automated attempts to gain access to accounts using usernames and passwords stolen through security breaches of other unrelated websites.

Allegedly, the maker of the Dunkin app repeatedly warned Dunkin of these attacks, but Dunkin’ failed to conduct an investigation into the attacks to identify which accounts had been compromised, what customer information may have been acquired, and whether customer funds had been stolen. The lawsuit alleged that that the 2015 incident impacted nearly 20,000 customers and the subsequent 2018 hack affected another roughly 300,000 customers.

Dunkin provided a statement on Tuesday refuting the claims and stating that they provided notifications and reset passwords for many affected by these breaches. They also state that they increased their security measures prior to the settlement.

Under the terms of the settlement with the Attorney General, Dunkin will be required to notify customers impacted by the attacks, reset those customers’ passwords, and provide refunds for any unauthorized use of customers’ stored value cards. The company must also maintain safeguards to protect against similar attacks in the future, follow incident response procedures when an attack occurs, and pay $650,000 in penalties and costs to New York state.

The full text of the settlement is available here. This case is a good reminder for companies to ensure they have an appropriate data security program in place to address and respond to breaches should the need arise, including those that may be limited to online account credentials.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Kelley Drye & Warren LLP | Attorney Advertising

Written by:

Kelley Drye & Warren LLP

Kelley Drye & Warren LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.