James said Dunkin’ Brands Group Inc did nothing in 2015 to protect 19,715 customers whose accounts had been targeted after learning about the problem from its own app developer. The lawsuit claims “in a matter of months, tens of thousands of customer accounts were compromised through these attacks, and tens of thousands of dollars on customers’ DD cards were stolen.”

The lawsuit centers on breaches to the company’s DD perks database, which holds data from thousands of Dunkin’ customers who used the smartphone app to purchase their morning coffee, according to a statement released Thursday.

New York Attorney General Letitia James sued the parent company of Dunkin’ Donuts on Thursday, claiming the chain failed to protect hundreds of thousands of customers whose accounts were exposed in a series of “brute force” cyberattacks in 2015 and 2018.

The lawsuit, filed in New York state courts, also accuses Dunkin’ of failing to implement “appropriate safeguards to limit future brute force attacks through the mobile app” even after the 2015 breach. In James’ press release, her office accused the restaurant chain of “glazing over” the data breaches.

James also tweeted about the litigation.

.@dunkindonuts failed to notify nearly 20K customers that their accounts had been compromised & their information & personal funds were in jeopardy.



They sat idly by instead of protecting the security of their consumers, and we're suing to hold them accountable. — NY AG James (@NewYorkStateAG) September 26, 2019

In late 2018, Dunkin’ was informed again that 300,000 customer accounts had been attacked. The coffee chain responded to this breach by informing impacted customers that “a third-party may have attempted to log in to your DD Perks account.” The lawsuit argues the response downplayed the severity and scope of the breach.

“Dunkin’ failed to protect the security of its customers,” said James in a statement. “And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin’ sat idly by, putting customers at risk.”

The Canton-based company denies any wrongdoing.

“There is absolutely no basis for these claims by the New York Attorney General’s Office. For more than two years, we have fully cooperated with the AG’s investigation into this matter, and we are shocked and disappointed that they chose to move ahead with this lawsuit given the lack of merit to their case,” said Karen Raskopf, chief communications officer for the company, in a statement to the Globe.

Raskopf said third parties were unsuccessful in accessing the 20,000 accounts in 2015 so “there was no reason to notify our customers.” She did not respond directly to James’ criticism of their handling of the security breach which reportedly occurred in 2018.