Dunkin’ Brands Inc. resolves lawsuit with the state of New York over 2015 data breach that compromised tens of thousands of customers’ online accounts in a case that highlights the importance of cyber security in digital coffee shop transactions
Dunkin’ will pay the state of New York $650,000 to settle a lawsuit over a security breach that exposed the credentials of more than 20,000 DD Cards in 2015. The early 2015 incident saw cyber attackers access customers’ accounts to make tens of thousands of dollars of fraudulent in-store transactions.
According to New York State Attorney General Letitia James, Dunkin’ did not take action, such as freezing accounts or notifying customers of the breach, despite the attack being flagged by app developers in 2015.
In addition to the financial penalty, the settlement requires Dunkin’ to notify customers’ of the breach, provide refunds for all unauthorised DD Card purchases, and safeguard against similar attacks in the future.
The case highlights the importance of maintaining cyber security and following local legal procedures – which can differ vastly internationally – as coffee chains globally accelerate the roll out of digital payment and loyalty services in the wake of coronavirus.
In 2014, Seattle-based coffee chain Starbucks was affected by a similar data breach, where cyber attackers stole customers’ store card credentials to make fraudulent in-store transactions across the US and Canada.