Dickey’s BBQ Restaurants Data Breach: Class Action Alleges Victims at Risk of Fraud, Identity Theft [UPDATE]
Last Updated on January 11, 2023
Marhefka v. Dickey’s Barbecue Restaurants, Inc.
Filed: April 5, 2021 ◆§ 3:21-cv-00585
A class action alleges Dickey’s Barbecue Restaurants failed to exercise reasonable care in safeguarding customers’ personal information in light of a months-long data breach.
Case Updates
January 10, 2023 – Dickey’s Data Breach Settlement Website Now Live
The official website for the settlement detailed below is now live and can be found at DickeysClassAction.com.
The deal aims to cover U.S. residents who used their credit or debit card at a Dickey’s Barbeque Pit location affected by the data breach between April 23, 2019 and October 29, 2020. Click here for a list of affected restaurants.
Those covered by the settlement are eligible to file a claim for either expense reimbursement, cash payment or credit services. Consumers who select the expense reimbursement option can file a claim with supporting documentation for reimbursement of out-of-pocket losses incurred in connection with the breach, for a maximum amount of $5,000. The cash payment option will provide an estimated payment of $100 for California residents or $50 for non-California residents. The credit services option will provide claimants with a 24-month plan that includes three-bureau credit monitoring, identity restoration services and $1 million of identity theft insurance coverage.
To file a claim, head to this page. The deadline to submit a claim is April 22, 2023.
As part of the settlement, Dickey’s has also agreed to implement security improvements designed to help safeguard customers’ payment card information.
For more information about the settlement, check out the settlement website’s FAQs page or reach out to the settlement administrator using the contact information found here.
Don’t miss out on settlement news like this. Sign up for ClassAction.org’s free weekly newsletter here.
August 18, 2021 – Dickey’s Data Breach Class Actions Settled for $2.35 Million
Dickey’s has agreed to pay $2.35 million to settle class action lawsuits filed over a data breach that affected around three million customers nationwide.
Although the proposed deal does not specifically settle the lawsuit detailed on this page, the case is one of a few related actions whose class members (i.e., those the case looks to represent) would be bound by the terms of the settlement if and when it’s approved by a judge.
Learn more here.
Don’t miss out on settlement news like this. Sign up for ClassAction.org’s free weekly newsletter here.
A proposed class action alleges Dickey’s Barbecue Restaurants failed to exercise reasonable care in safeguarding customers’ personal information in light of a months-long data breach first reported by cybersecurity experts last fall.
The 32-page lawsuit relays that Krebs on Security revealed in an October 15, 2020 blog post that payment card data had been stolen from Dickey’s customers at more than 100 of its restaurant locations nationwide. According to the Krebs article, a dark web payment card marketplace known as “Joker’s Stash” debuted a collection of more than three million stolen payment card records while advertising “validity rates” for the cards of between 90 to 100 percent.
The stolen payment cards had been used at one or more Dickey’s restaurants over the preceding 13 to 15 months, a time period spanning May 2019 to September 2020, the complaint says. According to the case, cyber intelligence firm Gemini Advisory reported that approximately 156 Dickey’s locations across 30 states likely had payment systems compromised by payment card-stealing malware, with the highest levels of exposure in California and Arizona. Gemini Advisory further concluded that the payment transactions at Dickey’s restaurants were processed by way of an “outdated magstripe method” prone to malware attacks, the lawsuit says.
The proposed class action, filed in California federal court on April 5, alleges the Dickey’s data breach was the result of the restaurant’s “inadequate approach to data security and protection of its customers’ [personally identifying information]” collected during the course of business. The case claims Dickey’s also failed to timely notify those affected by the data breach.
From the suit:
“Defendant disregarded the rights of Plaintiff and the Class by intentionally, willfully, recklessly, or negligently failing to take adequate and reasonable measures to ensure its data systems were protected, failing to disclose to its customers the material fact that it did not have adequate computer systems and security practices to safeguard PII, failing to take available steps to prevent the Data Breach, and failing to monitor and timely detect the Data Breach.”
According to the complaint, Dickey’s could have prevented this data breach given a number of other restaurant and retail chains have been hit with similar malware-based attacks on their point-of-sale (POS) systems in recent years. Per the suit, the susceptibility of POS systems is “well-known through the restaurant industry” and has been exploited in “practically every major data breach involving retail stores or fast-food restaurants” in the last five years.
“Unfortunately, Defendant’s decision to ignore warnings like this led to the damage alleged here,” the case says.
Dickey’s is no stranger to data breaches, according to the case. In 2015 the restaurant was hit with a ransomware attack wherein the perpetrator demanded $6,000 in exchange for the return of Dickey’s marketing files, the suit says. In the wake of that incident, Dickey’s published an article in which it detailed what happened and its commitment to “a robust cybersecurity posture,” including quotes from the chain’s then-CEO and an endorsement of investing in proactive cybersecurity measures.
Despite the foregoing, the lawsuit says, Dickey’s “again failed to protect its customers PII with adequate data security.” As a result of the ransomware attack, proposed class members’ information has been exposed to criminals for misuse, and the consumers face, among other potential damages, a heightened risk of identity theft, fraud and the expenditure of time and resources to protect against and/or investigate such, the lawsuit says.
On March 23, a federal judge in Texas consolidated three proposed class actions against Dickey’s over the data breach. Prior to that event, the U.S. Judicial Panel on Multidistrict Litigation declined to transfer the lawsuits to California to be joined with three other lawsuits pending in the state over the ransomware attack, Law360 reports.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.
Before commenting, please review our comment policy.