ALBANY - New York reached a settlement Tuesday with Dunkin’ Brands, Inc. over a lawsuit that accused the company of failing to adequately respond to cyberattacks since 2015 that compromised customers’ online accounts.


The settlement with Dunkin' Donuts' parent company requires it to notify customers impacted by the attacks, reset those customers’ passwords and provide refunds for any unauthorized use of customers’ stored value cards.


The Canton, Mass.-based company will also need to maintain safeguards to protect against similar attacks and pay $650,000 in penalties to New York, Attorney General Leticia James announced.


"For years, Dunkin’ hid the truth and failed to protect the security of its customers, who were left paying the bill," James said in a statement.


"It’s time to make amends and finally fill the holes in Dunkin’s’ cybersecurity. Not only will customers be reimbursed for lost funds, but we are ensuring the company’s dangerous brew of lax security and negligence comes to an end."


What happened at Dunkin' Donuts


The state Attorney General's Office said the online accounts of Dunkin’ customers were first targeted in early 2015 in a series of "credential stuffing attacks" — which were  automated attempts to gain access to accounts using usernames and passwords stolen through security breaches of other unrelated websites.


The cyberattacks, which went on through 2018, led to tens of thousands of customer accounts being compromised within months, mainly Dunkin’-branded stored value cards known as "DD cards" that could be used to make purchases at Dunkin’ stores, the state said.


Gaining access to the accounts allowed hackers to use the cards to make purchases or sell them online, leading to "tens of thousands of dollars" on customers' cards to be stolen, James said.


The state contended Dunkin’ was repeatedly alerted to the attacks on nearly 20,000 customer accounts by a third-party app developer over a five-day period and didn't take strong action to stop them or alert customers.


"Among other missteps, Dunkin’ failed to notify these customers of unauthorized access to their accounts, reset their account passwords to prevent further unauthorized access or freeze their DD cards," the Attorney General's Office said in a news release.


James filed a complaint last September against the company, alleging it violated New York’s data breach notification statute.


There was no immediate comment from Dunkin' on the settlement.


More: Cuomo says he will not ban trick-or-treating this Halloween in New York


More: California among six states removed from New York, New Jersey quarantine order


What are customers entitled to?


Under the terms of the settlement, Dunkin’ will need to:


Reset the password of each New York customer impacted in an attack who had a "DD card" registered to their account at the time.Notify the customers that their accounts were, or may have been, accessed.Tell the customers that they are eligible for a refund for any fraudulent activity that resulted from an attack.


Customers will have 90 days to contact Dunkin’ by calling (800) 447-0013 or by emailing customerservice@dunkinbrands.com to request copies of their account records and report fraudulent activity.


More: New York eased auto inspections during COVID-19. What happens when they come back?


More: Watch: 'Certified young person' Paul Rudd urges New Yorkers to wear a mask. 'It's science!'


Joseph Spector is the New York state editor for the USA TODAY Network. He can be reached at JSPECTOR@Gannett.com or followed on Twitter: @GannettAlbany


Support local journalism


We cover the stories from the New York State Capitol and across New York that matter most to you and your family. Please consider supporting our efforts with a subscription to the New York publication nearest you. Check out the latest offer.


This article originally appeared on New York State Team: Are you owed money? Dunkin’ Donuts to 'fill the holes' in security, reimburse hacked customers