Food blog

The Legal Battle: Why New York City Took Dunkin’ to Court

The reason New York once sued Dunkin’

When it comes to protecting customer data, companies have a responsibility to take the necessary steps to ensure the privacy and security of their customers. In 2019, Dunkin’, the popular coffee and doughnut chain, found itself facing a lawsuit filed by the City of New York for failing to address two massive data breaches that occurred in 2015 and 2018. This article delves into the details of these breaches, the implications for Dunkin’, and the steps New York City is taking to hold the company accountable.

The Allegations and Cybersecurity Breaches

The lawsuit filed by New York City alleges that Dunkin’ failed to investigate and notify customers of the data breaches that compromised their accounts. In 2015, Dunkin’ became aware that nearly 20,000 customer accounts had been compromised in a credential stuffing attack. This type of attack uses stolen credentials from unrelated cyberattacks to gain unauthorized access to user accounts. As a result, tens of thousands of dollars were stolen from Dunkin’ customers’ DD Cards.
Despite this breach, Dunkin’ did not take adequate steps to prevent further problems. In 2018, more than 300,000 additional accounts were affected by a similar data breach, demonstrating Dunkin’s failure to implement robust cybersecurity measures.

The lawsuit and its outcome

New York City’s lawsuit against Dunkin’ resulted in a $650,000 judgment against the company. In addition, Dunkin’ was ordered to refund customers who lost money, reset account passwords, notify customers of any future breaches, and implement reasonable measures to prevent credential stuffing attacks.
This ruling underscores the importance of companies proactively addressing data breaches and protecting their customers’ sensitive information. Failure to do so can have serious financial and reputational consequences, as Dunkin’ learned through this lawsuit.

The impact on Dunkin’

The lawsuit and subsequent judgment against Dunkin’ serve as a cautionary tale for companies operating in the digital age. It underscores the need for companies, regardless of size, to prioritize cybersecurity and invest in robust systems to protect customer data.
With its massive customer base and $8.8 billion in annual revenue, Dunkin’ should have had stringent cybersecurity measures in place. However, the company’s failure to effectively address the initial breach and prevent subsequent attacks resulted in significant financial losses and damage to its reputation.

The importance of customer trust

Protecting customer data is not only a legal and ethical obligation, it is also critical to maintaining customer trust. In today’s connected world, consumers are increasingly concerned about the security of their personal information. Companies that fail to prioritize cybersecurity risk losing customer trust and loyalty.
By suing Dunkin’ and holding the company accountable, New York City has sent a strong message that it will not tolerate negligence when it comes to protecting its residents’ information. This lawsuit serves as a reminder to all businesses that protecting customer data should be a top priority.

Lessons Learned and Moving Forward

The Dunkin’ case offers several important lessons for companies:
1. Take data breaches seriously: Promptly investigate and address potential breaches to mitigate damage and protect customers.
2. Implement robust cybersecurity measures: Invest in advanced security systems and protocols to prevent unauthorized access to customer data.
3. Communicate with customers: Promptly notify customers of any breaches or security incidents and provide guidance on how to protect themselves.
4. Learn from past mistakes: Use data breaches as learning opportunities to strengthen cybersecurity practices and prevent future incidents.
Ultimately, protecting customer data should be a priority for all businesses. By learning from the Dunkin’ case and implementing proactive cybersecurity measures, companies can protect their customers’ information, maintain trust, and avoid legal consequences.


What were the data breaches that led to the lawsuit against Dunkin’?

Dunkin’ experienced two significant data breaches in 2015 and 2018. The breaches involved credential stuffing attacks, in which stolen credentials from unrelated cyberattacks were used to compromise Dunkin’ customer accounts.

How many customer accounts were affected by the breaches?

Nearly 20,000 customer accounts were compromised in 2015, and an additional 300,000 accounts were affected by the data breaches in 2018.

What was the outcome of the lawsuit?

The lawsuit resulted in New York City successfully suing Dunkin’ for $650,000. Dunkin’ was also ordered to refund customers who lost money, reset account passwords, notify customers of future breaches, and implement measures to prevent similar attacks.

Why did New York City file a lawsuit against Dunkin’?

New York City filed the lawsuit against Dunkin’ because the company allegedly failed to investigate and notify customers of the data breaches, thereby neglecting its duty to protect customer information.

What lessons can companies learn from the Dunkin’ breach?

The Dunkin’ case underscores the importance of taking data breaches seriously, implementing robust cybersecurity measures, promptly communicating with customers about breaches, and learning from past mistakes to strengthen security practices.

Why is protecting customer data important for businesses?

Protecting customer data is critical to maintaining trust and loyalty. Failure to protect customer data can result in financial loss, reputational damage, and loss of customer confidence.

Leave a Reply

Your email address will not be published. Required fields are marked *