This article is more than 1 year old

Dunkin do-nots: Deep-fried cake maker did not warn its sugar addicts that crooks raided web accounts, says NY AG

President facing impeachment probe, Brexit off the rails... but more importantly, your Dunkies account was potentially pwned

The US state of New York is suing food chain Dunkin Donuts for what is says is an illegal lapse in computer security.

NY Attorney General Letitia James said today the complaint stems from a 2015 raid on Dunkin's website: fraudsters broke into individual customer accounts, stole those victims' store loyalty card info from the compromised Dunkin profiles, and sold that sensitive information online.

As many as 20,000 customer records were put up for sale on data-trading darknet markets, while Dunkin hushed up the theft, it is claimed. No one was alerted to the account hijackings, and no investigation took place, we're told.

"Dunkin’ failed to take any steps to protect these nearly 20,000 customers — or the potentially thousands more they did not know about — by notifying them of unauthorized access, resetting their account passwords to prevent further unauthorized access, or freezing their DD cards," the AG's office said of the suit.

"Dunkin' also failed to conduct any investigation into or analysis of the attacks to determine how many more customer accounts had been compromised, what customer information had been acquired, and whether customer funds had been stolen."

According to James, the crooks brute-forced their way into these customer accounts by simply guessing people's passwords.


Time Warner Cable, you've 'earned your miserable reputation' – NY Attorney General


The Attorney General alleges that DD was aware of the pilfering yet failed to notify punters that their accounts had been compromised.

"Dunkin’ failed to protect the security of its customers," James said. "And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin’ sat idly by, putting customers at risk."

The Attorney General is now filing suit against the donut chain in hopes of getting back some of the money lost to the thieves, claiming the chain has violated the state's data breach notification statute as well as consumer protection laws that require companies to accurately disclose the measures they take to protect customer accounts.

The lawsuit seeks an injunction against the sugar-slingers as well as a payout to customers and a fine for violating state laws. Dunkin' did not have comment at time of going to press. ®

More about


Send us news

Other stories you might like