ALBANY — New York reached a settlement Tuesday with Dunkin’ Brands Inc. over a lawsuit that accused the company of failing to adequately respond to cyberattacks since 2015 that compromised customers’ online accounts.

The settlement with Dunkin’ Donuts’ parent company requires it to notify customers impacted by the attacks, reset those customers’ passwords and provide refunds for any unauthorized use of customers’ stored value cards.

The Canton, Massachusetts-based company will also need to maintain safeguards to protect against similar attacks and pay $650,000 in penalties to New York, Attorney General Leticia James announced.

“For years, Dunkin’ hid the truth and failed to protect the security of its customers, who were left paying the bill,” James said in a statement. “It’s time to make amends and finally fill the holes in Dunkin’s cybersecurity. Not only will customers be reimbursed for lost funds, but we are ensuring the company’s dangerous brew of lax security and negligence comes to an end.”

–

What happened

–

The state attorney general’s office said the online accounts of Dunkin’ customers were first targeted in early 2015 in a series of “credential stuffing attacks” — which were automated attempts to gain access to accounts using usernames and passwords stolen through security breaches of other unrelated websites.

The cyberattacks, which went on through 2018, led to tens of thousands of customer accounts being compromised within months, mainly Dunkin’-branded stored value cards known as “DD cards” that could be used to make purchases at Dunkin’ stores, the state said.

Gaining access to the accounts allowed hackers to use the cards to make purchases or sell them online, leading to “tens of thousands of dollars” on customers’ cards to be stolen, James said.

The state contended Dunkin’ was repeatedly alerted to the attacks on nearly 20,000 customer accounts by a third-party app developer over a five-day period and didn’t take strong action to stop them or alert customers.

“Among other missteps, Dunkin’ failed to notify these customers of unauthorized access to their accounts, reset their account passwords to prevent further unauthorized access or freeze their DD cards,” the attorney general’s office said in a news release.

James filed a complaint last September against the company, alleging it violated New York’s data breach notification statute.

There was no immediate comment from Dunkin’ on the settlement.

–

What are customers entitled to?

–

Under the terms of the settlement, Dunkin’ will need to:

¯ Reset the password of each New York customer impacted in an attack who had a “DD card” registered to their account at the time.

¯ Notify the customers that their accounts were, or may have been, accessed.

¯ Tell the customers that they are eligible for a refund for any fraudulent activity that resulted from an attack.

Customers will have 90 days to contact Dunkin’ by calling 800-447-0013 or by emailing customerservice@dunkinbrands.com to request copies of their account records and report fraudulent activity.