This Jan. 22, 2018, file photo shows the Dunkin' Donuts logo on a shop in Mount Lebanon, Pa. Dunkin' Donuts violated state law by not notifying almost 20,000 customers, including more than 2,000 in New York, about cyberattacks on their accounts in 2015 and inadequately warning more than 300,000 customers in 2018 about another attack, the New York state attorney general said Thursday, Sept. 26, 2019, in announcing a lawsuit. Credit: Gene J. Puskar | AP

NEW YORK — Dunkin’ Donuts failed to notify almost 20,000 customers across the U.S. about cyberattacks on their accounts in 2015 and inadequately warned more than 300,000 customers about another hacking attack in 2018, New York’s attorney general said in a lawsuit announced Thursday.

“Dunkin’ failed to protect the security of its customers,” Attorney General Letitia James said in a statement. “And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin’ sat idly by, putting customers at risk.”

According to the lawsuit, filed in state Supreme Court in Manhattan, the company knew in 2015 that a series of attacks had been made on customers’ online accounts, with attackers able to steal money customers had stored for use at Dunkin’ stores. But it said the company didn’t inform the customers or fully investigate.

The suit also accuses Dunkin’ of keeping customers in the dark about the full extent of 2018 cyberattacks, by only intimating attempts had been made to access accounts but not that accounts had been breached.

Dunkin’ Brands Inc. strongly pushed back against James’ contentions.

“There is absolutely no basis for these claims by the New York Attorney General’s Office. For more than two years, we have fully cooperated with the AG’s investigation into this matter, and we are shocked and disappointed that they chose to move ahead with this lawsuit given the lack of merit to their case,” Dunkin’ chief communications officer Karen Raskopf said in an emailed statement.

She said that during the 2015 incident, an investigation showed no customer account had been wrongfully accessed and there was no reason to inform customers.

New York has a law requiring business to notify customers about certain types of cybersecurity breaches. More than 2,000 of the customers affected by the 2015 breach were in New York.