Chick-fil-A Data Breach Affecting Over 71K People Triggers Class Action Lawsuit [UPDATE]

New to ClassAction.org? Read our Newswire Disclaimer

Chick-fil-A faces a proposed class action lawsuit that claims its “reckless” and “negligent” cybersecurity practices are to blame for a data breach announced by the fast-food company in March 2023.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The 66-page lawsuit says that though Chick-fil-A purportedly first learned of suspicious activity on its networks in early January of this year, it was later revealed that hackers had mounted a “sustained attack” on the company’s website and mobile app between December 18, 2022 and February 12 of this year. The cyberattack targeted customers’ Chick-fil-A One accounts—a rewards program whereby consumers can earn redeemable points with every order—and reportedly compromised the personal information stored in 71,473 of these accounts, the suit relays.

The case explains that the private data exposed in the breach included customers’ names, email addresses, Chick-fil-A One account passwords, membership numbers, mobile pay numbers, QR codes, credit or debit card information, billing details and the amount of Chick-fil-A credit stored in each account. The complaint adds that the compromised data may also include customers’ dates of birth, phone numbers and physical addresses, if this information was saved in a Chick-fil-A One account.

As the filing claims, the cyberattack was a direct result of the company’s “utter failure” to implement basic cybersecurity policies to protect customers’ personal information. The highly confidential data was allegedly stored “unencrypted” and “unredacted” in the defendant’s systems and therefore left vulnerable to unauthorized access by cybercriminals, the lawsuit charges.

After discovering the fraudulent activity in January of this year, Chick-fil-A’s “confusing and botched series of announcements” only served to make matters worse, the suit argues. A statement the company posted on Twitter on January 4 “explicitly assured customers” that reports of suspicious activity on Chick-fil-A One accounts were “not the result of a compromise of Defendant’s internal systems,” the case explains.

It took another two months for Chick-fil-A to “contradict its initial public statement and admit to the Data Breach,” finally notifying victims by posting a notice letter on March 2, the complaint states.

However, the notice provided little detail as to how the breach occurred, why the company delayed notifying victims and what steps it is taking to safeguard their personal information in the future, the filing shares.

One plaintiff, a Missouri resident and member of the Chick-fil-A One rewards program, noticed on February 4 of this year that his account had been accessed by an unknown third party and charged $50, the lawsuit says. When the plaintiff called customer service, an agent “read off a canned script” and explained that, though several reports had been made by customers of “suspicious” account activity, “there was no data breach,” the suit states.

The other plaintiff in the case, a Georgia resident and Chick-fil-A One accountholder since 2021, experienced similar fraudulent activity on February 2 when she noticed two unauthorized $50 charges in her account, the case relays. The plaintiff emailed Chick-fil-A to report the activity and received two “canned” responses whereby the defendant “continued in its failure to admit the Data Breach, despite having knowledge of numerous customer complaints,” the filing contends.

The lawsuit looks to represent anyone in the United States whose personal information was accessed and/or obtained by an unauthorized party between December 18, 2022 and February 12, 2023 as a result of the data breach.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.