According to the suit, the chain did not notify its customers when hackers gains access to their DD accounts, downloaded their information, and sold it. Although the coffee chain did not admit or deny the accusations against them.
The attorney general's office explained, "Dunkin’ failed to take any steps to protect these nearly 20,000 customers — or the potentially thousands more they did not know about — by notifying them of unauthorized access, resetting their account passwords to prevent further unauthorized access, or freezing their DD cards."
Dunkin' settled the case earlier this month.
According to Reuters, "The parent of Dunkin’ Donuts on Tuesday agreed to upgrade its security protocols and pay $650,000 in fines and costs to settle a lawsuit by New York’s attorney general claiming it ignored cyberattacks that compromised the online accounts of tens of thousands of customers."
Reuters continues, explaining that according to with the settlement, Dunkin' will need to "notify customers affected by the attacks between 2015 and 2018, reset their passwords, and provide refunds for unauthorized use of their Dunkin’-branded stored value card."
Dunkin' made a statement to The Register, explaining that they had already enhanced security protocols before the suit: "Long before the New York Attorney General filed suit in this matter, Dunkin’ had voluntarily implemented or enhanced the security measures identified in today’s settlement."
"We did so not because we were required to by any regulatory or enforcement authority, but because we are committed to protecting our customers’ data. We are continually updating and enhancing our security measures to address ever-evolving cyber security threats, and we use robust information security and data safeguards," the statement continued.