NEW YORK (CBSNewYork) – New York’s Attorney General Letitia James announced Tuesday a settlement has been reached in a lawsuit against Dunkin’ over a 2015 security breach.
The company was accused of failing to notify nearly 20,000 customers that their accounts had been compromised.
The lawsuit also claimed Dunkin’ failed to investigate what customer information was taken.
The company has agreed to refund customers, protect against future attacks, and pay $650,000 in penalties.
“For years, Dunkin’ hid the truth and failed to protect the security of its customers, who were left paying the bill,” said James. “It’s time to make amends and finally fill the holes in Dunkin’s’ cybersecurity. Not only will customers be reimbursed for lost funds, but we are ensuring the company’s dangerous brew of lax security and negligence comes to an end.”
Under the terms of the settlement, Dunkin’ is required to:
- Customers who had a registered DD card: To the extent it has not already done so, Dunkin’ will reset the password of each New York customer impacted in an attack who had a DD card registered to their account at the time and notify these customers that their accounts were, or may have been, accessed. Dunkin’ will also notify these customers that they are eligible for a refund for any fraudulent activity that resulted from an attack.
- Customers will have 90 days to contact Dunkin’ by calling (800) 447-0013 or by emailing firstname.lastname@example.org to request copies of their account records and report fraudulent activity.
- Customers who did not have a registered DD card: To the extent it has not already done so, Dunkin’ will reset the password of each New York customer impacted in an attack who did not have a DD card registered to their account at the time and inform the customer that their account was, or may have been, accessed.
You can get the latest news, sports and weather on our brand new CBS New York app. Download here.