Sept. 26 (UPI) -- The state of New York filed a lawsuit Thursday against the operator of Dunkin' Donuts and Baskin Robbins, which says the company failed to protect thousands of customer accounts from hackers -- and then failed to notify thousands after they were hacked.
Attorney General Letitia James announced the suit, which says Dunkin' Brands violated New York's data breach notification statute, stemming from security incidents in 2015 and 2018.
The suit says the company failed to protect nearly 20,000 customers from the attacks because it neglected to inform them about the breach.
"Dunkin' failed to protect the security of its customers," she said. "Instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin' sat idly by, putting customers at risk. My office is committed to protecting consumer data and holding businesses accountable for implementing safe security practices."
Dunkin' Brands also failed, James said, to investigate whether more accounts had been compromised and allowed "potentially thousands more" to be hacked -- without ever advising customers to take pre-emptive action, like resetting their passwords.
The company was notified late last year of another attack that affected more than 300,000 accounts, and did inform customers on that occurrence, the suit notes. However, James said it failed to tell them accounts had been accessed without authorization.
The compromised accounts were created through the Dunkin' Donuts website and mobile app.
Dunkin' Brands dismissed the claims made in the suit.
"There is absolutely no basis for these claims," Dunkin' Brands Chief Communications Officer Karen Raskopf said in an emailed statement. "For more than two years, we have fully cooperated with the AG's investigation into this matter, and we are shocked and disappointed that they chose to move ahead with this lawsuit given the lack of merit to their case.
"The database in question did not contain any customer payment card information. The incident was brought to our attention ... and we immediately conducted a thorough investigation. This investigation showed that no customer's account was wrongfully accessed, and, therefore, there was no reason to notify our customers.
"We take the security of our customers' data seriously and have robust data protection safeguards in place. We look forward to proving our case in court."