Dunkin' Donuts, the popular coffee and pastry retailer, was sued Thursday by New York Attorney General Letitia James, who said the company broke state law when it failed to notify thousands of customers that some of their information and funds had been exposed to hackers.

The company was warned of a series of breaches more than four years ago, but failed to notify customers who were affected or take any remedial measures, James said.

"Dunkin' failed to protect the security of its customers," James said. "And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin' sat idly by, putting customers at risk."

The state is demanding, through the suit, that the company now offer restitution to customers whose funds were allegedly stolen, and pay a $5,000 civil penalty per person affected.

Karen Raskopf, a spokeswoman for Dunkin', said in a statement Thursday that the state's characterization of what happened during the alleged data breaches wasn't accurate.

"There is absolutely no basis for these claims by the New York Attorney General's Office," Raskopf said. "For more than two years, we have fully cooperated with the AG's investigation into this matter, and we are shocked and disappointed that they chose to move ahead with this lawsuit given the lack of merit to their case."

The lawsuit, filed in Manhattan Supreme Court Thursday, alleged that Dunkin' broke sections of the state's general business law and executive law when it failed to notify consumers of an initial breach in 2015, and then didn't disclose the full nature of another breach in 2018.

The alleged misconduct started in 2015, when nearly 20,000 customer accounts were compromised in a series of cyberattacks, according to the lawsuit.

Those accounts were created by customers through both the company's website and its mobile app, and were used to store funds that could then be used to make purchases at stores and online. Those so-called DD cards can be loaded with funds using a credit card that's stored with the account.

Attackers purportedly made millions of attempts during 2015 to log in to Dunkin' customer accounts by transmitting customer email address and password combinations to Dunkin' systems, the suit said.

Later that year, a third-party application developer, named CorFire, told Dunkin that hackers had successfully accessed at least 19,715 customer accounts over a five-day period alone.

The lawsuit does not allege that the credit card numbers of those customers were exposed to the attackers, but the perpetrators were able to use the accounts in different ways for financial gain, according to the complaint.

Some customers, for example, set up their account to automatically reload with funds when needed. If that was the case, hackers could use the accounts to make purchases indefinitely, since they would automatically reload, the lawsuit said.

They would also have access to the customer's DD Card number and the pin used, according to the James' office. That would allow them to sell the customer's DD Cards online. Access to an account would also allow an attacker to use beverage coupons and other promotions.

Any other information found on the account could also be obtained by the hackers and incorporated into future attacks targeting those customers, the lawsuit said. That would include phishing campaigns, which is when someone tries to lure an individual into a financial scam online.

The lawsuit alleged that Dunkin' failed to investigate the attacks after the company was made aware of them by the developer, including if any funds had been stolen from customers. The company also failed to take other steps, the lawsuit said.

"Dunkin' failed to take appropriate actions to protect the 19,715 customers whose accounts CorFire had identified, such as notifying the customers of the breach, resetting the account passwords to prevent further unauthorized access, or freezing DD cards registered with the accounts," the lawsuit said.

Raskopf, the Dunkin' spokeswoman, disputed that claim in her statement, saying the incident was subject to a "thorough investigation" that showed the hackers failed to access the accounts identified by the developer.

"This investigation showed that no customer's account was wrongfully accessed, and, therefore, there was no reason to notify our customers," Raskopf said.

The state also claimed that the company didn't replace stolen DD cards or issue refunds to customers for funds stolen through the attack, the lawsuit said.

Instead, the suit claimed that Dunkin' told many customers who called to report fraudulent activity that it might have been their own fault. Over a two-year period after the attacks started, thousands of customers allegedly contacted the company to make such a report, and were told they could have been a victim of phishing.

"Instead of disclosing that customer accounts had been targeted in brute force attacks, Dunkin' customer service personnel told many customers that the customers' own actions may have led to the fraudulent activity," the lawsuit said.

Three years after the initial attack, attackers gained access to more than 300,000 Dunkin' customer accounts in the same way. Unlike the first instance, Dunkin' contacted impacted customers, but the lawsuit claimed that those consumers were misled.

"Instead of disclosing that customers' accounts had been accessed without authorization, Dunkin' falsely represented that it and its vendor had concluded only that a third party had 'attempted' or 'may have attempted to log in' to customers' accounts," the lawsuit said.

Legal counsel for Dunkin' was not immediately available Thursday.

READ MORE: