Dunkin' Donuts sued by State of New York over cyberattacks

American coffee and donut company Dunkin’ Donuts has been sued by the people of the State of New York for the "fraudulent and unlawful practices" by the company. According to a lawsuit filed seen by Marketing, Dunkin's customer accounts were targeted in a series of online attacks in 2015. During this period, the suit said that attackers made millions of automated attempts to access customer accounts and tens of thousands of dollars on customers’ stored value cards were stolen.Despite its company policy which requires a thorough and deliberate investigation after a cyberattack, the court filing said Dunkin’ failed to conduct an appropriate investigation into, and analysis of, the attacks to determine which customer accounts had been compromised, what customer information had been acquired, and whether customer funds had been stolen. In addition, the people of the State of New York said that Dunkin’ did not notify its customers of the breach, reset the account passwords to prevent further unauthorised access, or freeze the stored value cards registered with their accounts.Dunkin’ sells branded stored value cards which can be used to purchase beverages, food, and merchandise, both at Dunkin’ stores and online on its website. To encourage customers to create accounts, the filing said Dunkin’ had represented that the company uses reasonable safeguards to protect customers’ personal information from loss, misuse, and unauthorised access and disclosure. However, the breach occurred again last year. This time, Dunkin’ customer accounts were attacked and resulted in the unauthorised access of more than 300,000 customer accounts, said the suit.At that time, Dunkin’ allegedly contacted impacted customers but did not disclose to these customers that their accounts had been accessed without authorisation.Instead, Dunkin’ falsely conveyed that a third party had “attempted but failed" to log in to the customers’ accounts, the court filing said.In addition, the documents stated that the plaintiffs (people of the State of New York) said Dunkin’s customer service personnel told several customers that the customers’ own actions may have led to the fraudulent activity and that the fraudulent activity could have been the result of a “phishing” attack. Dunkin' has yet to counter the lawsuit with its explanations. Marketing has reached out to Dunkin' for comment.About a year ago, Dunkin’ Donuts revealed its new branding, dropping “Donuts” from its name, effective January 2019. The move comes as the company plans to position itself as a “premier beverage-led, on-the-go brand”. According to the company, the brand had been on a “first-name basis” with fans before the introduction of its “America Runs on Dunkin’,” tagline, with customers referring to the brand as “Dunkin’”. As such, the name change was done “in recognition of this relationship”.