Dunkin’ Brands Inc. said Thursday that personal information of its DD Perks rewards program members may have been compromised in a recent data breach.
An external security vendor informed the coffee chain that on October 31, 2018, third-parties obtained usernames and passwords through external companies’ security breaches and attempted to log into some DD Perks accounts, the company said.
In a statement, Dunkin’ said “only a small percent” of account holders were affected. Earlier this year, the company said there were more than 9 million members in the DD Perks program.
The company noted that its internal systems were not affected.
“We believe that these third-parties obtained usernames and passwords from security breaches of other companies,” the company said in a statement sent to users who may have been affected by the incident.
“These individuals then used the usernames and passwords to try to break in to various online accounts across the Internet,” the statement continued. “Our security vendor was successful in stopping most of these attempts, but it is possible that these third-parties may have succeeded in logging in to your DD Perks account.”
According to the statement, Dunkin’ forced a systemwide password reset so DD Perks users would be required to change their passwords and took steps to replace any impacted DD Perks value cards.
The personal information that may have been stolen includes first and last names, email addresses and DD Perks card numbers, according to the company. Dunkin’ advised that users always use unique passwords and usernames for their DD Perks accounts, and never repeat passwords for unrelated online accounts.
Dunkin’ said it has opened an internal investigation to remediate the issue and will discuss how to prevent similar security beaches from occurring in the future. The company is also working with law enforcement to identify and apprehend the perpetrators.
Other restaurant brands reporting data breaches this year include Cheddar’s Scratch Kitchen, which in August said more than half a million customer payment cards may have been compromised; Dallas-based Chili’s Grill & Bar, which experienced a hacking incident between March and April of this year; and Tampa, Fla.-based PDQ which this summer said it had been the “target of a cyberattack” between May 2017 and April of this year.
Contact Joanna Fantozzi at [email protected]
Follow her on Twitter: @joannafantozzi
Update, Nov. 29, 2018: This story has been updated to include a statement from Dunkin’ on the number of account holders impacted.