New York is suing Dunkin’ Donuts for failing to notify nearly 20,000 customers that their personal funds had been compromised in a series of cyberattacks aimed at the company’s website and mobile app. In a press release issued Thursday titled, “AG James Sues Dunkin’ Donuts For Glazing Over Cyberattacks,” Attorney General Letitia James said that, beginning in 2015, Dunkin’ customer accounts were targeted in a series of “brute force attacks,” that allowed a hacker to gain access to customers’ Dunkin’ accounts and use the “stored value cards,” known as DD cards, registered to their accounts. According to the attorney general, tens of thousands of dollars on customers’ DD cards were stolen in a matter of months.

Despite receiving customer reports of the attacks in 2015, as well as multiple alerts of the breach from a third-party app developer, Dunkin’ did not conduct any investigation into the attacks, according to James. “... Instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin’ sat idly by, putting customers at risk,” James said. “... Dunkin’ falsely represented that it and its vendor had concluded only that a third party had ‘attempted’ or ‘may have attempted to log in’ to customers’ accounts,” reads the lawsuit. “My office is committed to protecting consumer data and holding businesses accountable for implementing safe security practices,” James said. The lawsuit seeks to give customers “full restitution” of lost Dunkin’ funds.