Dunkin' Donuts Parent Settles Cyber-attack Lawsuit
The suit was filed against Dunkin' Brands Group Inc. in state Supreme Court in Manhattan in September last year by the state of New York's attorney general Letitia James.
James alleged that Dunkin' neglected to inform customers of cyber-attacks that took place between 2015 and 2018 that compromised the accounts of thousands of customers.
Attackers used automated credential stuffing and brute-force attacks to steal money from customer accounts created through Dunkin's free mobile app or website.
James alleged that Dunkin' failed to inform customers that attacks had taken place, despite being warned repeatedly about the issue by its app developer.
During the summer of 2015, Dunkin's app developer provided the company with a list of 19,715 accounts that had been compromised by attacks over a sample period of just five days, but the donut seller failed to tell customers or upgrade its security, according to the lawsuit.
When the lawsuit was filed, Dunkin's chief communications officer Karen Raskopf told Infosecurity Magazine that there was "no basis for these claims" and that the company looked forward "to proving our case in court."
However, on Tuesday, Dunkin' Brands Group Inc. agreed to $650,000 in fines and costs to settle the lawsuit, according to Reuters. The company further acquiesced to carrying out an upgrade of its security protocols.
Under the terms of the settlement, Dunkin' customers will be notified of the cyber-attacks that took place between 2015 and 2018 and will be advised to reset their passwords.
Dunkin' has further agreed to give refunds for unauthorized transactions that occurred on their Dunkin' brand stored-value cards.
Dunkin' has not confirmed or denied any wrongdoing in relation to the cyber-attacks. The settlement of the suit requires a judge's approval.
The company, which is based in Canton, Massachusetts, has around 8,000 branches nationally, including 1,000 Dunkin' locations in New York.
Announcing the settlement, James punned: "Not only will customers be reimbursed for lost funds, but we are ensuring the company’s dangerous brew of lax security and negligence comes to an end.”