A North Carolina Business Court judge is keeping the heat on Bojangles, refusing to toss a class action that accuses the Charlotte-based chain of leaving thousands of employee records exposed after a 2024 cyberattack. In a June 29 opinion, Judge Julianna Earp allowed most of the workers’ claims to move ahead, including allegations that the company failed to secure sensitive files and dragged its feet on alerting staff. The suit says names, Social Security numbers, driver’s license information and health data were accessed, dumped on the dark web and now warrant damages and court-ordered security upgrades.
According to The Charlotte Observer, Earp’s order keeps several major claims alive while trimming narrower invasion-of-privacy counts. The paper reports that the judge found the workers could not hang negligence claims solely on the FTC Act or HIPAA under North Carolina law, but otherwise left intact accusations about late notice and inadequate data protections.
Company Notice And What Was Taken
In its own public data-security notice, Bojangles says investigators first spotted suspicious activity on March 12, 2024 and later determined that certain files were viewed and downloaded between February 19 and March 12. The company says the breach “impacted employee information only” and lists potentially involved data types that match the lawsuit, including Social Security numbers, driver’s license numbers and medical information. To blunt the fallout, Bojangles offered affected workers one year of complimentary credit monitoring and identity-restoration services, as outlined in Bojangles.
What Workers Say
In court filings, employees say a group tied to the ransomware operation known as “Hunters” bragged online that it had posted more than 387,000 Bojangles files totaling roughly 290 gigabytes on a dark-web site. They claim some staffers have already dealt with fraud and out-of-pocket costs tied to the leak. The requested relief includes money damages, class certification and court orders forcing security upgrades and ongoing monitoring, as detailed in the ALM copy of the complaint. One named plaintiff has reported a small fraudulent debit charge, according to the filings and media coverage.
Court History And Legal Issues
This is not the first stop for the case. The workers initially sued in federal court, but that version of the lawsuit was dismissed in September 2025 for lack of Article III standing after the judge applied the U.S. Supreme Court’s TransUnion standard. The federal court concluded the plaintiffs had not laid out enough concrete misuse of their data to support damages claims, according to the memorandum and order available on Justia…