State AG sues Dunkin’ over response to app cyberattacks
The New York attorney general is suing Dunkin’ for the company’s handling of a cyber-security lapse in its phone app, which compromised the finances of tens of thousands of customers, officials announced Thursday.
The first breach began in 2015, when nearly 20,000 customers with smartphone app accounts for managing their “DD cards” were hacked and had money stolen, the lawsuit says.
The app developer for Dunkin,’ formerly Dunkin’ Donuts, told the company “repeatedly” about “ongoing attempts to log in to customer accounts” but the java chain didn’t investigate, tell customers or make any changes to protect the accounts, the complaint alleges.
Once in the accounts, the hackers could use the store cards to make purchases at Dunkin’ locations or they could sell the cards online.
In the process, tens of thousands of dollars were stolen from customers and Dunkin’ didn’t pay users back for the thefts, the court papers charge.
Because the company didn’t fix the problem, 300,000 customers’ accounts were attacked again throughout 2018 and Dunkin’ misled customers by telling them there had been “attempted” access into their accounts, hiding the fact that the hackers had actually gotten in, the court papers charge.
“Instead of disclosing that customers’ accounts had been accessed without authorization, Dunkin’ falsely represented that it and its vendor had concluded only that a third party had ‘attempted’ or ‘may have attempted to log in’ to customers’ accounts,” the court documents charge.
“Dunkin’ failed to protect the security of its customers,” Attorney General Letitia James said in a statement. “And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin’ sat idly by, putting customers at risk.”
“There’s no sugarcoating the fact that @dunkindonuts did nothing to protect consumers’ accounts as the dough continued to roll in…,” AG spokesperson Fabien Levy said in a tweet promoting a press release that accused the company of “Glazing Over Cyberattacks.”
The AG’s Office wants Dunkin’ to be fined $5,000 per customer account for falsely claiming the accounts were secure. The office also is seeking $10 fines for each customer’s account that was hacked and the customer was not notified of the breach.
The AG — who is also seeking unspecified restitution for customers — wants Dunkin’ to implement safeguards to prevent potential future breaches, the court papers say.
“There is absolutely no basis for these claims by the New York Attorney General’s Office,” said a rep with Dunkin’ Brands, Karen Raskopf. “For more than two years, we have fully cooperated with the AG’s investigation into this matter, and we are shocked and disappointed that they chose to move ahead with this lawsuit given the lack of merit to their case.”
Raskopf said that in the 2015 incident, accounts didn’t contain customer payment information and when Dunkin’ was notified, it immediately carried out an investigation, finding that no accounts were hacked.
“Therefore, there was no reason to notify our customers,” Raskopf said. “We take the security of our customers’ data seriously and have robust data protection safeguards in place.”
No comments:
Post a Comment