Apparently, tens of thousands of customer accounts were targeted in a series of "brute force attacks" in 2015. Around 20,000 accounts were compromised over a five-day period, but the number may be much higher when the attack went on for several months. The attackers broke customers' Dunkin profiles containing registered DD cards ̵[ads1]1; rechargeable cards used to make purchases – using account names and passwords leaked on the Internet from other security breaches. They then sold the victims' DD cards online or used them to buy things, and stole "tens of thousands of dollars" from the victims.
James said the company did nothing, even though the third-party app developer who worked for Dunkin & # 39; notified it of the breach and provided it with a list of compromised accounts. The Attorney General's statement on the lawsuit explained:
"… Dunkin & # 39; failed to take any steps to protect these nearly 20,000 clients – or the potentially thousands more they did not know – by notifying them of unauthorized access, reset their account passwords to prevent further unauthorized access or freeze the DD cards, nor did Dunkin & # 39; conduct any investigations or analyzes of the attacks to determine how many more customer accounts had been compromised, what customer information was obtained, and whether the client fund had been stolen. "
The company also failed to take preventative measures to prevent a security breach from happening again. In 2018, 300,000 customer accounts were again compromised. While Dunkin notified customers at the time, it only told them that a third party would try to break their account – it reportedly did not admit that their account had been compromised. The Attorney General in New York asks, among other things, that the company be punished and that the clients be compensated.