As data leaks and thefts happen more and more often, it is important how a company handles them. Nowadays, even the biggest companies fail to protect their consumer information and that says a lot.
Dunkin’ Donuts was sued this week by the office of New York Attorney General Letitia James. The company is accused of mishandling a series of cyberattacks. The most recent one affected over 300,000 customers — including 36,000 New Yorkers.
Since 2015, millions of cyberattacks or hacks that use software automated to guess password or ID information, were being used to attempt entry into Dunkin’ customer online accounts.
The main lawsuit reason was that Dunkin’ had been notified of these incidents by its app developer CorFire by mid-2015, but the company did not notify it’s customers. They did not freeze accounts, reset passwords, or follow its own protocol for dealing with such a situation. The company ignored the guidelines of its Computer and Data Security Incident Response Plan.
At the beginning of 2015, the attacks allegedly saw “tens of thousands” of customer accounts compromised, and “tens of thousands” of dollars in customer rewards stolen off their value cards, the lawsuit states. Dunkin’ did not act until another vendor contacted it again in 2018 to notify them that a new hack had affected over 300,000 customer accounts.
“Dunkin’ failed to protect the security of its customers,” said the attorney James in a statement. “Instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin’ sat idly by, putting customers at risk.” This says a lot about the company, as they did not take any action to protect their customers at all.
However, Dunkin’ representatives have alleged that the lawsuit is incorrect and that the company did not find evidence that customer accounts had been wrongfully accessed during the 2015 incident, according to CBS News.