August 18, 2021 – Proposed Settlement Reached in Related Class Actions
Dickey’s Barbecue Restaurants has agreed to pay $2.35 million to resolve three consolidated class action lawsuits filed over a 2019-2020 payment system data breach that affected roughly three million customers nationwide.
Although the proposed settlement, which awaits preliminary approval from a judge before proceeding, does not specifically resolve the suit detailed on this page, it would, if approved, bind the plaintiffs and those they look to represent. Court filings state that the lawyers in three of the six actions pending against Dickey’s over the data breach “worked together to negotiate an excellent settlement on behalf of the proposed class.”
The proposed settlement covers all U.S. residents who used a payment card to make a purchase at any Dickey’s Barbecue Pit restaurant affected by the data breach between April 23, 2019 and October 29, 2020. A list of Dickey’s locations compromised by the breach can be found starting on page 36 of the court document linked here.
The creation of an official settlement website, where Dickey’s customers would be able to file claims for compensation, is forthcoming. If approved, the settlement will offer Dickey’s customers one of three types of relief:
Reimbursement for documented out-of-pocket costs;
A cash payment of approximately $100 for California residents and approximately $50 for non-California residents, depending on how many claims are filed; and
Three-bureau credit monitoring, identity restoration services, fraud resolution assistance and identity theft insurance coverage for 24 months.
Dickey’s has also agreed as part of the settlement to adopt certain business practices designed to better safeguard customer payment information for a period of at least three years.
Don’t miss out on settlement news like this. Sign up for ClassAction.org’s free weekly newsletter here.
The operators of Dickey’s Barbeque Pit face a proposed class action lawsuit after roughly three million credit card numbers were reportedly “siphoned” from more than 150 restaurant locations from May 2019 through at least September 2020 and put up for sale on the dark web.
The 26-page consumer privacy lawsuit alleges “lax security measures” on the part of defendants Dickey’s Barbecue Restaurants Inc. and Dickey’s Capital Group, Inc. are to blame for the barbeque joint’s latest “massive” data breach.
“This is not the first cyber attack Dickey’s has suffered in recent years,” the complaint reads, claiming the breach may have continued undetected had the stolen information, which was made for sale on the “Joker’s Stash” marketplace, not been reported on by industry experts.
The lawsuit claims Dickey’s, the “fastest-growing BBQ chain” in the country, has violated California law by failing to notify customers whose credit card numbers and personal identifying information (PII) were stolen and sold due to the data breach. The defendants’ failure to notify those affected by the incident has left consumers at a disadvantage in taking proactive measures to protect their identities and finances and to guard against potential fraud, the suit argues.
According to the complaint, the Dickey’s data breach, dubbed the “BlazingSun” breach, has been reported on by a number of reputable cyber-security researchers, including Brian Krebs, Gemini Advisory and Q6 Cyber. Citing the researchers’ findings, the lawsuit says the compromised “BlazingSun” credit card numbers belonged to consumers spanning 35 states, with the highest number of affected accounts coming from California, where Dickey’s has 66 locations.
Per the suit, the data protection industry researchers have traced the origin of the stolen financial details to the Dickey’s data breach and specific Dickey’s locations.
“There are thousands of cards in ‘BlazingSun’ from zip codes surrounding that location and others in California, with more being released for sale on an ongoing basis,” the case reads.
According to the suit, the Dickey’s data breach is a clear violation of the California Consumer Privacy Act in that the disclosed information, whether it’s encrypted or unencrypted, includes an individual’s first name (or first initial) and their last name in combination with a credit or debit account number and any required security code, password or access code that would permit access to the individual’s financial account.
In all, the defendants have failed to maintain reasonable security controls and systems appropriate for the type of PII in their control, the suit contests. Dickey’s “knew or should have known” about industry-standard data protection measures, such as using secure chip card readers in place of card swiping, that could have been used to protect customers’ information, the lawsuit says.
More troubling is the fact that Dickey’s apparently did not know the data breach was taking place for months, the suit stresses:
“Defendants also failed to maintain proper measures to detect hacking and intrusion. For example, Dickey’s did not learn that 3 million of its customers’ payment cards had been stolen until the hack was publicly reported by third parties – at least 16 months after it began. Defendants should have had breach detection protocols in place, which could have detected the breach and alerted customers much sooner.”
The lawsuit looks to cover all consumers who made a purchase from Dickey’s using a payment card, or otherwise disclosed payment information to the restaurant, at any time since January 1, 2020 and whose personal information was compromised, including as part of the Joker’s Stash BlazingSun data set.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.