She said the doughnut king's cybersecurity system had a hole in it.
And now New York Attorney General Letitia James has announced a lawsuit against Dunkin' Brands Inc., the franchiser of Dunkin' Donuts, charging that the company failed to protect thousands of customers targeted in a series of cyberattacks, then failed to notify almost 20,000 customers their accounts had been compromised.
"Dunkin' failed to protect the security of its customers," James said in a statement released Thursday, adding: "And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin' sat idly by, putting customers at risk."
The lawsuit, filed in state Supreme Court, involves accounts created through the company website and its free mobile app for both Android and iOS devices, James said in a news release regarding the suit.
The chief communications officer for Dunkin' Brands, Karen Raskopf, said in a statement to Newsday that for more than two years the company has "fully cooperated" with the investigation, adding: "There is absolutely no basis for these claims by the New York Attorney General’s Office."
Dunkin' said the investigation centered on a credential stuffing incident in 2015, in which third parties unsuccessfully tried to access approximately 20,000 Dunkin’ app accounts. The company noted it was brought to Dunkin's attention by a firewall vendor, and said it immediately conducted "a thorough investigation" that showed "no customer’s account was wrongfully accessed, and, therefore, there was no reason to notify our customers" — adding that Dunkin' has "robust data protection safeguards in place."
But according to James, there was a series of "brute force attacks" on customer accounts beginning in early 2015 with repeated automated attempts to gain access to accounts, often using usernames and passwords stolen through security breaches of other unrelated websites or online services.
She said that by May 2015 Dunkin' personnel had received customer reports of cyberthieves gaining access to their accounts and said that by that summer a third-party app developer for Dunkin' "repeatedly alerted the company to attackers' ongoing attempts to log in to customer accounts" — and even provided Dunkin' officials with a list of 19,715 accounts that had been compromised during one five-day period.
But, James said, Dunkin' "failed to implement appropriate safeguards to limit" those cyberattacks, and three years later, in late 2018, a vendor notified Dunkin' that customer accounts "again had been attacked," resulting in the unauthorized access of more than 300,000 accounts.
Not only did Dunkin' not disclose the incidents, James said, but it "falsely represented that a third party had merely 'attempted' to log in" to customer accounts — and that the attempt may have been unsuccessful.
The lawsuit alleges Dunkin' violated the state data breach notification statute, as well as state consumer protection laws.
It seeks full restitution to affected customers, as well as civil penalties and other remedies.