CANTON (CBS/AP) — The New York attorney general says Dunkin’ Donuts violated state law by not notifying almost 20,000 customers, including more than 2,000 in New York, about cyberattacks on their accounts in 2015 and inadequately warning more than 300,000 customers in 2018 about another attack.

Attorney General Letitia James announced a lawsuit Thursday against Dunkin’ Brands, Inc., which is based in Canton, Massachusetts.

.@dunkindonuts failed to notify nearly 20K customers that their accounts had been compromised & their information & personal funds were in jeopardy. They sat idly by instead of protecting the security of their consumers, and we're suing to hold them accountable. — NY AG James (@NewYorkStateAG) September 26, 2019

The suit says the company knew in 2015 that a series of attacks had been made on customers’ online accounts. But it says the company didn’t inform the customers or fully investigate.

The suit says Dunkin’ also kept customers in the dark about the full extent of 2018 cyberattacks.

“They sat idly by instead of protecting the security of their consumers, and we’re suing to hold them accountable,” James tweeted.

Dunkin’ Brands Inc. strongly pushed back against James’ contention.

“There is absolutely no basis for these claims by the New York Attorney General’s Office. For more than two years, we have fully cooperated with the AG’s investigation into this matter, and we are shocked and disappointed that they chose to move ahead with this lawsuit given the lack of merit to their case,” Dunkin’ chief communications officer Karen Raskopf said in an emailed statement.

She said in connection to the 2015 incident, an investigation had been conducted and showed that no customer account had been wrongfully accessed and there was no reason to inform customers.

(© Copyright 2019 CBS Broadcasting Inc. All Rights Reserved. The Associated Press contributed to this report.)