In Response to How the Company Handled its 2015 Data Breach, NY AG Letitia James Recently Filed a Lawsuit Against Dunkin’ Brands, Inc.
Dunkin’ Donuts is in hot water (not coffee) over its response to a 2015 data breach. New York Attorney General Letitia James recently filed a lawsuit against Dunkin’ Brands, Inc. (Dunkin’), alleging that the coffee-chain franchisor committed fraud by misinforming its customers about the nature of the cyberattack.
“Dunkin’ failed to protect the security of its customers,” Attorney General Letitia James argues in a press statement. “And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin’ sat idly by, putting customers at risk. My office is committed to protecting consumer data and holding businesses accountable for implementing safe security practices.”
NY AG Lawsuit Against Dunkin’ Donuts
According to the lawsuit against Dunkin’, customer accounts, created through the Dunkin’ website or free mobile app for Android and iOS devices to manage DD value cards, were targeted in 2015 by a series of “brute force attacks.” The attacks involve repeated, automated attempts to gain access to accounts, often using usernames and passwords stolen through security breaches of other unrelated websites or online services. As a result of the brute force attacks, almost 20,000 customer accounts were compromised, and tens of thousands of dollars on customers’ DD cards were stolen.
By May 2015, Dunkin’ personnel were receiving customer reports that their accounts had been hacked. In addition, a third-party app developer for Dunkin’ repeatedly alerted the company to attackers’ ongoing attempts to log in to customer accounts, and even provided Dunkin’ with a list of 19,715 accounts that had been compromised by attackers over just a five-day period.
The Attorney General’s lawsuit alleges that Dunkin’ failed to properly respond to the breach. “Dunkin’ failed to conduct an appropriate investigation into, and analysis of, the attacks to determine which customer accounts had been compromised, what customer information had been acquired, and whether customer funds had been stolen,” the suit alleges. It further maintains that Dunkin’ failed to take steps to protect customers whose accounts had been breached. “Among other failures, Dunkin’ did not notify its customers of the breach, reset their account passwords to prevent further unauthorized access, or freeze the stored value cards registered with their accounts,” the suit states.
In late 2018, a vendor notified Dunkin’ that customer accounts were again compromised, with the attacks leading to the unauthorized access of more than 300,000 Dunkin’ customer accounts, many of which had DD cards associated with them. According to the suit, although Dunkin’ contacted impacted customers, it failed to disclose that customer accounts had been accessed without authorization. Rather, the company stated that a third party had merely “attempted” to log in to the customers’ accounts and that the attempt may not have been successful, according to the suit.
The suit alleges that Dunkin’ violated New York’s data breach notification statute, General Business Law § 899-aa, by failing to notify consumers and New York State authorities of the 2015 data breach, and failing to accurately notify consumers of the 2018 data breach. The lawsuit also alleges that Dunkin’ violated New York’s consumer protection laws, including Executive Law § 63(12), and General Business Law §§ 349 and 350, by misrepresenting to consumers that it provided reasonable safeguards to protect customers’ personal information when they first signed up for an account. The state is seeking injunctive relief, full restitution to customers, civil penalties, and other remedies.
Determining When Data Breach Notification Is Required
Dunkin’ Donuts maintains that its investigation failed to conclude that any customer accounts were wrongfully accessed. Accordingly, it determined customer notification was not required.
As the Dunkin’ data breach suit highlights, companies often struggle to determine whether they must inform customers of a data breach. The current regulatory landscape does not make the process any easier. While regulators such as the Securities and Exchange Commission and the Department of Health and Human Services have issued guidance for businesses under their purview, there is no federal law governing data breaches. To fill the void, states like New York and California have enacted their own regulations.
The state-level regulations are not consistent and continue to evolve. In New York, Gov. Andrew Cuomo signed the SHIELD Act into law this summer, which amends the state’s data breach notification requirements.
To meet the challenges of complex and ever-evolving data breach notification requirements, we encourage businesses to stay on top of legal developments and regularly consult with experienced counsel regarding your data security policies and procedures.
If you have questions, please contact us
If you have any questions or if you would like to discuss the matter further, please contact me, David Einhorn, or the Scarinci Hollenbeck attorney with whom you work, at 201-806-3364.
How Courts Evaluate Testamentary Capacity and Undue Influence Will contests in New Jersey are difficult to win, given the strong presumption that a properly executed will reflects the testator’s intent. However, challenges based on lack of testamentary capacity and undue influence remain common, particularly where there are concerns about mental capacity or the involvement of […]
Bringing on outside investors can provide the capital and strategic support a business needs to grow. However, raising capital also introduces important legal, financial, and operational considerations. Before bringing on investors, businesses should address key legal issues to reduce risk, streamline investor due diligence, and position the company for long-term success. Early preparation signals that […]
How the Updated Law Shapes Retirement and Estate Planning The SECURE 2.0 Act of 2022 materially reshapes the required minimum distribution (RMD) landscape, extending tax deferral opportunities while accelerating distribution requirements for many beneficiaries. For high-net-worth individuals and families, these changes are not merely technical. They require a reassessment of retirement income strategies, beneficiary planning, […]
Buying Commercial Property in New Jersey: Legal Guide for Small Businesses
Small businesses considering buying commercial property in New Jersey must evaluate a range of legal, financial, and operational factors. While ownership can offer long-term value and control, it also introduces significant risks if not properly structured. This guide outlines key considerations to help New Jersey business owners make informed decisions, minimize legal exposure, and successfully […]
The SEC’s Latest Guidance on Applying Federal Securities Laws to Tokenized Securities
On January 28, 2026, staff of the U.S. Securities and Exchange Commission’s Divisions of Corporation Finance, Investment Management, and Trading and Markets issued a joint statement clarifying how existing federal securities laws apply to tokenized securities. The SEC’s “Statement on Tokenized Securities” does not establish new law, but it does provide greater clarity on the […]
Common Legal Mistakes NYC and New Jersey Business Owners Make
Operating a business in the New Jersey and New York City metropolitan region offers incredible opportunities, but it also requires navigating a dense and highly regulated legal environment. From entity formation to regulatory compliance, seemingly minor legal oversights can expose business owners to significant risk. In our work with businesses throughout the region, our attorneys […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
