Apparently, tens of thousands of customers’ accounts were targeted in a series of “brute force attacks” in 2015. Around 20,000 accounts were compromised over a five-day period, but the number may be much higher seeing as the attack went on for months. The attackers broke into customers’ Dunkin’ profiles containing registered DD cards — reloadable cards used to make purchases — using account names and passwords leaked on the internet from other security breaches. They then sold the victims’ DD cards online or used them to buy things, stealing “tens of thousands of dollars” from the victims.

James said the company did nothing, even though the third-party app developer working for Dunkin’ notified it about the breach and provided it with the list of accounts that had been compromised. The Attorney General’s announcement of the lawsuit explained:

“…Dunkin’ failed to take any steps to protect these nearly 20,000 customers — or the potentially thousands more they did not know about — by notifying them of unauthorized access, resetting their account passwords to prevent further unauthorized access, or freezing their DD cards. Dunkin’ also failed to conduct any investigation into or analysis of the attacks to determine how many more customer accounts had been compromised, what customer information had been acquired, and whether customer funds had been stolen.”

The company also failed to implement precautionary measures to prevent a security breach from happening again. In 2018, 300,000 customer accounts were compromised yet again. While Dunkin’ notified customers that time around, it only told them that a third-party entity attempted to break into their account — it reportedly didn’t admit that their account had been compromised. The New York Attorney General is asking, among other things, that the company be penalized and for customers to be compensated.