The New York Attorney General’s Office hit Dunkin’ Brands with a lawsuit over the company’s cybersecurity practices, alleging that the company tricked consumers about the extent to which it protects their personal information.

“To encourage Dunkin’ customers to create online accounts and use Dunkin’s mobile app, Dunkin’ has represented to consumers, expressly and by implication, that it provides reasonable safeguards to protect personal information from loss, misuse and unauthorized access and disclosure,” according to the complaint.

The problem can be traced back to 2015, the AG said, when Dunkin’s customer accounts were targeted in a series of “brute force” attacks online, where millions of automated attempts were made to access customer accounts. Tens of thousands of customer accounts—which include names, email addresses, and credit and debit card information—were compromised, and tens of thousands of dollars were stolen from customers’ stored value cards.

Although Dunkin’ was aware of the attacks and was repeatedly warned about the hackers’ ongoing attempts to log in to customer accounts, the company failed to take action, the AG alleged. A report from its app developer revealed that over a five-day period, attackers had successfully logged in to 19,715 accounts, at least 2,200 of which belonged to New York residents.

“Despite having promised customers that it would protect their personal information and company policies that required a thorough and deliberate investigation, Dunkin’ failed to conduct an appropriate investigation into, and analysis of, the attacks to determine which customer accounts had been compromised, what customer information had been acquired and whether customer funds had been stolen,” the AG alleged.

Dunkin’ also neglected to protect the customers whose accounts it knew had been compromised, the AG added, not even notifying customers of the breach or freezing the stored value cards registered with the accounts.

Over the past four years, the company further failed to implement appropriate safeguards to limit future brute force attacks, leading to a 2018 attack that resulted in the unauthorized access of more than 300,000 customer accounts, the AG said. While the company did notify the affected consumers this time around, it falsely represented that a third party had “attempted” or “may have attempted to log in” to customer accounts, not disclosing that accounts had been accessed without authorization.

“Dunkin’s representation to consumers that it used reasonable safeguards to protect consumers’ personal information, and the company’s statements concerning the 2018 breach, were false and misleading and violated New York’s consumer protection laws.”

The state court complaint seeks restitution for consumers as well as injunctive and equitable relief, plus civil penalties of $5,000 for each violation of state law and an additional $10 for each knowing and reckless violation.

To read the complaint in New York v. Dunkin’ Brands, Inc., click here.

Why it matters: The AG’s Office found fault with several actions by Dunkin’ Brands, from its misrepresentations to customers about the security of their personal information to its failure to take action in the wake of the 2015 brute force attacks to its deception about the data breach in 2018.