The Reason New York Once Sued Dunkin'

With an estimated population of over 8.4 million people (according to the United States Census Bureau), it's of little surprise that the residents of New York City are occasionally disgruntled with the performance of the city officials. In some cases, this results in lawsuits, and the New York City Comptroller reports that in 2021 there were 10,618 filings against the city, resulting in payouts totaling $933.7 million.

Even for a city the size of New York, that's a lot of money. But officials also use the legal system to benefit New York, including taking action against companies that fail to protect their customers. Dunkin' is a company that fell foul to such a pursuit.

In 2019, New York City filed a complaint against Dunkin', alleging that it failed to investigate and inform customers of two massive data breaches in 2015 and 2018, details NY Attorney General. The issue affected account holders of Dunkin's DD value cards. The claim stated that Dunkin' did not tell customers their accounts had been compromised or try to prevent further problems by freezing cards or resetting passwords. But how exactly did the cyber attack happen, and was Dunkin' at fault?

Hundreds of thousands of Dunkin' customers were affected

Over just five days in 2015, NY Attorney General reports that Dunkin' was made aware of almost 20,000 customer accounts that had been compromised by a credential stuffing attack — where details, such as passwords, stolen from unrelated cyberattacks are used to attempt further breaches (via Cloudflare). Consequently, tens of thousands of dollars were stolen from Dunkin' customers' DD cards.

For a company the size of Dunkin' (achieving $8.8 billion in annual sales, according to Restaurant Business), it could be expected that its cybersecurity measures would be rather robust. However, the doughnut titan failed to safeguard against additional problems, resulting in over 300,000 more accounts being affected in 2018, notes Reuters.

As a result, NY Attorney General reports that New York City successfully sued Dunkin' for $650,000. The judgment also ordered Dunkin' to refund customers who had lost funds, reset account passwords, inform customers of future breaches, and deploy appropriate measures to prevent any more credential stuffing attacks.