Dunkin’ Donuts warns of security breach affecting members of chain’s ‘DD Perks’ program
Dunkin’ Donuts on Thursday alerted customers of the chain’s “DD Perks” program about the potential compromise of their account credentials.
“Although Dunkin’ did not experience a data security breach involving its internal systems, we’ve been informed that third-parties obtained usernames and passwords through other companies’ security breaches and used this information to log into some Dunkin’ DD Perks accounts,” parent company Dunkin’ Brands said in a letter sent to potentially affected customers.
“We believe that these third-parties obtained usernames and passwords from security breaches of other companies,” the company told account holders. “These individuals then used the usernames and passwords to try to break in to various online accounts across the Internet.”
The type of potentially compromised data depends on what information affected customers entered into their accounts, but could include full names, email addresses and DD Perks numbers, the company said.
Dunkin’ Donuts did not say how many users may have been affected, and the company did not immediately return a request for clarification.
Headquartered in Canton, Massachusetts, Dunkin’ Donuts has over 11,000 shops in 36 countries, including 8,500 in the United States, according to its website. It launched its “DD Perks” loyalty program in 2011, and the program boasted more than 7.5 million users as of November 2017.
Dunkin’ said that its security vendor prevented most of the attempted log-ins, and that the company has reset the passwords of user who may have been affected after becoming aware of the activity late last month.
“We immediately launched an internal investigation and have been working with our security vendor to remediate this event and to help prevent this kind of event from occurring in the future,” the company said Thursday. “We also reported the incident to law enforcement and are cooperating with law enforcement to help identify and apprehend those third parties responsible for this incident.”