Bojangles sued again by workers over Russian hacker data breach. NC judge weighs in
5 mins read

Bojangles sued again by workers over Russian hacker data breach. NC judge weighs in

A class-action lawsuit over a 2024 data breach of Bojangles employee data linked to Russian hackers can move forward, a North Carolina Business Court judge has ruled.

Read more What the Hornets are saying about defending summer league championship

The case had been tossed out of federal court last year. But so far, the plaintiffs have had better luck in the state system.

A group of Russian cybercriminals obtained more than 387,000 files and more than 290 gigabytes worth of information, according to the state lawsuit, and posted information on the dark web, including Social Security numbers and other personal data.

. This led nine former employees to file a lawsuit against Bojangles on behalf of themselves and other employees in January 2025 in the U.S. District Court for the Western District of North Carolina in Charlotte.

The former chicken-and-biscuit restaurant chain workers sought monetary damages and a court order to force Bojangles to tighten its data security to protect personal information.

Plaintiffs also demanded a jury trial to obtain compensation for damages and cover legal costs.

In late September 2025, a federal judge in North Carolina denied plaintiffs’ requests for monetary damages, an order requiring Bojangles to tighten data security, and a jury trial to recover damages and legal costs, The Charlotte Observer previously reported. The judge concluded that the plaintiffs failed to show that their data was misused as a result of the breach.

The court also ruled that claims such as fear of potential identity theft, an increase in spam calls or emails not clearly linked to the breach, and time spent or stress caused by the incident were not sufficient to allow the lawsuit to proceed.

Attorneys refiled the case in December in Wake County Superior Court.

The new complaint accused Bojangles of failing to adequately secure employee data, misleading workers about how safe its systems were and improperly benefiting by skimping on cybersecurity. The plaintiffs are also asking a judge to declare the company’s security inadequate and order upgrades to meet industry standards.

In February, the case was transferred to North Carolina Business Court due to the complex corporate and data security issues involved.

About a month later, Bojangles filed a motion to dismiss. The company claimed the employees hadn’t shown the company failed to meet a legally recognized duty of care, that the breach caused their harm, or that they faced anything more than speculative future losses.

Following back-and-forth legal filings, Judge Julianna Earp allowed the majority of the case to move forward in an opinion and order issued June 29.

She let several key claims proceed, including allegations that Bojangles failed to protect employee data or notify workers quickly, and that it had an implied obligation to safeguard information collected as part of employment.

Read more Charlotte women die after accident in SC lake on July 4 weekend, coroner says

The court also allowed claims that the company unfairly benefited by skimping on security, may have violated North Carolina’s unfair-trade law, and could be ordered to clarify and improve its ongoing data-security duties.

However, Earp tossed the negligence claim, finding the plaintiffs couldn’t rely on the FTC Act or HIPAA as the kind of “public safety” laws North Carolina requires for that legal theory, according to the lawsuit.

The invasion-of-privacy claim was also dismissed because state law doesn’t recognize claims based on the disclosure of private facts, and the employees had willingly provided their information to Bojangles as part of the hiring process.

Bojangles was listed on a dark web leak site by a group identified as “Hunters International, a Russian Ransomware-as-a-Service group,” according to court records.

The data breach occurred between Feb. 19 and March 12, 2024. It exposed the data of thousands of current and former employees, compromising information such as names, Social Security numbers, driver’s license numbers, and health information, the Observer previously reported.

After Bojangles learned of the breach, the plaintiffs said the company left employees “in the dark,” waiting until Nov. 19, 2024, to notify them.

This was 274 days after the breach began. The plaintiffs claimed this delay gave them little time to protect their personal information, according to court records.

The plaintiffs, from the Carolinas, Tennessee and Texas, said they suffered damages including identity theft, emotional distress and financial loss from paying for credit monitoring. One plaintiff claimed their debit card was hit with $80 in fraudulent charges.

Bojangles offered employees a year of free credit monitoring and identity restoration services after the incident.

The plaintiffs want the case certified as a class action and decided by a jury.

Attorneys for the plaintiffs and Bojangles did not respond to requests for comment. Bojangles declined to provide a comment.

The Charlotte-based fried-chicken chain was founded in 1977 and has more than 800 restaurants across the U.S., according to its website. The company employs more than 9,000 people, according to its website.

Bojangles’ corporate headquarters at 500 Forest Point Circle employs more than 200 people.

Read more Dual roundabout project in NW Charlotte to require road closures over coming weeks

Leave a Reply

Your email address will not be published. Required fields are marked *