Citibank faces a lawsuit from New York Attorney General Letitia James for allegedly failing to protect and reimburse customers who lost thousands of dollars in fraudulent wire transfers.

James filed a lawsuit Tuesday in U.S. District Court for the Southern District of New York, alleging Citi lacked “sufficiently robust data security measures to protect consumer financial accounts, respond appropriately to red flags, or limit theft by scam.”

Two victims allegedly lost thousands of dollars each when hackers managed to access their accounts and sent fraudulent wire transfers. In one case, Citi allegedly completed a fraudulent wire transfer without ever having contacted the victim to confirm it.

James alleged Citi violated the Electronic Fund Transfer Act when it failed to reimburse the customers, similar to when banks reimburse victims of electronic credit or debit card fraud.

Citi also might have violated the SHIELD Act, a New York state law that requires businesses that own or license computerized data to take reasonable safeguards to protect the security, confidentiality, and integrity of the private information of their customers, per the lawsuit. The law requires companies that possess customer private information to employ reasonable administrative safeguards to “both identify reasonably foreseeable internal and external risks and train and manage employees in [their] security program,” as well as technical safeguards to “detect, prevent, and respond to attacks or system failures.”

The lawsuit alleged Citi “failed to adopt appropriate layered security, including [multi-factor authentication]; algorithmic monitoring of consumer and account behavior; mechanisms to identify high-risk transactions or anomalous behavior that trigger strengthened procedures; or transaction limitations based on frequency, volume, and repeat activity.”

In a press release, James said the bank misled its customers about their rights after their accounts were hacked and then illegally denied reimbursement to the victims of fraud.

In December, James led a coalition of state attorneys general in writing letters to the Office of the Comptroller of the Currency and Consumer Financial Protection Bureau urging both agencies to ensure national banks cooperate with investigations by state attorneys general into violations of state law.

In an emailed statement, Citi said banks “are not required to make clients whole when those clients follow criminals’ instructions and banks can see no indication the clients are being deceived.”

“However, given the industry-wide surge in wire fraud during the last several years, we’ve taken proactive steps to safeguard our clients’ accounts with leading security protocols, intuitive fraud prevention tools, clear insights about the latest scams, and driving client awareness and education,” the statement continued. “Our actions have reduced client wire fraud losses significantly, and we remain committed to investing in fraud prevention measures to help our clients secure their accounts against emerging threats.”