Panera Bread is facing lawsuits filed by at least 11 workers who say the company failed to protect their personal information in a “massive and preventable” cyberattack earlier this year.
Eight lawsuits have been filed in U.S. District Court for the Eastern District of Missouri, starting on June 18, and another two were filed in the court’s Western District (one lawsuit represents two workers). The lawsuits are almost identical in their claims and seek class-action status. Two were filed on Tuesday.
A motion was filed to consolidate six of the lawsuits on Monday, and attorneys argue in court documents that the number of previous and current workers potentially impacted could be in the tens or hundreds of thousands. As of last year, the St. Louis, Missouri-based Panera had about 14,000 employees, the filing said.
The complaints stem from a cyberattack that the plaintiffs say occurred in February, though the company said it was not aware of a data breach until March.
It was in March that Panera’s digital channels suffered an outage that was believed to be the result of a ransomware attack.
At the time, the more than 2,100-unit chain’s website and app were down or hampered for three days, as were in-store kiosks. Guests couldn’t access the loyalty program and workers reportedly couldn’t access digital schedules—though restaurants remained open.
The lawsuits do not specifically cite the digital outage as evidence of the data breach, however. Panera has declined to explain or respond to repeated questions about the outage.
But in a statement to Restaurant Business on Tuesday, Panera officials confirmed a security incident was detected on March 23, the same weekend as the outage. A cybersecurity firm was engaged, and law enforcement was notified, the company said.
“A thorough investigation was conducted, and the investigation identified unauthorized access to certain corporate files. We are reviewing those files and providing appropriate notifications,” the statement said. “We take these matters seriously and are committed to reviewing and enhancing our existing security measures.”
In the lawsuits, however, the workers say they were not officially notified of a data breach until June 13 or later, when letters went out to those who were potentially impacted. It’s not clear how many current or former workers were notified.
Workers were also offered credit monitoring, identity theft insurance and other protective services.
Fundamentally, the lawsuits contend that the company failed to properly secure personally identifiable information, including names, social security numbers, health records and other private data, despite the known threat.
The charges include negligence, breach of contract, invasion of privacy, breach of fiduciary duty and other claims.
The lawsuits also seek damages for lost time, annoyance, interference and inconvenience, as well as anxiety about cybercriminals having access, using or selling the employees’ private information, and potential fraud that may not show up until years later.
The employees named as plaintiffs in the lawsuits include Nasia Sanchez, Samantha Baldwin, Matthew Baldwin, David Forster, Messiah J. Weddle, Erin McKeon, Gracelyn Donovan, Nia Buchanan and Sydney Hollis, all from various states across the country.
It isn’t the first time Panera has been charged with exposing sensitive data. In 2018, the company’s website inadvertently revealed some private customer data before the website was pulled, an incident that was cited in some of the lawsuits.
It has been a rough year for Panera.
The fast-casual chain is also facing multiple lawsuits tied to its caffeinated Charged Lemonade, which has been blamed for two deaths, as well as the cardiac arrest of a teenager. The lemonades have since been phased off the menu.
Panera Bread is owned by the Europe-based conglomerate JAB Holding Co., which last year indicated it was preparing Panera Brands—a group that includes Panera Bread, Caribou Coffee and Einstein Bros. Bagels—for a potential initial public offering.
UPDATE: This article has been updated to include two more lawsuits filed on June 25.
Members help make our journalism possible. Become a Restaurant Business member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.