Five Guys Hit with Class Action Over September 2022 Data Breach

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action claims burger restaurant chain Five Guys failed to prevent a September 2022 data breach that exposed personally identifiable information belonging to thousands of job applicants and current and former employees.

The 38-page case alleges Five Guys failed to properly secure and safeguard sensitive data stored on its network and allowed an unknown actor to access files containing employees’ and applicants’ unencrypted names and Social Security numbers on September 17 of last year. Per the suit, Five Guys left itself vulnerable to the cyberattack by failing to comply with minimum industry standards for cybersecurity, even though it is a large, “sophisticated enterprise” with the resources to invest in adequate data security measures.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

Moreover, the case says, a substantial increase in data breaches in recent years, especially at other industry-leading companies, should have motivated Five Guys to better protect its electronic records. 

As a result of the data breach, victims now face a lifetime risk of identity theft, as well as “anxiety, emotional distress, loss of privacy,” and out-of-pocket expenses associated with fraud and abuse, the complaint contends. The case also stresses that victims’ information may be traded on the cyber black market, where stolen identity credentials are in high demand, and consequential fraudulent activities may not transpire for years.

The lawsuit also explains that the harm done to victims has been exacerbated by Five Guys’ slow disclosure of the incident. The suit says that Five Guys learned of the data breach on September 17 but did not notify victims or the proper authorities until three months later, on December 29. Although Five Guys admitted that the compromised files had been “improperly stored,” the letter did not mention the root cause of the breach or which specific vulnerabilities had been exploited, the filing alleges.

According to the complaint, Five Guys has offered affected individuals one year of credit monitoring and identity theft protection, which they must enroll in by March 29, 2023.

“In offering such identity monitoring services Defendant recognized Plaintiff’s and Class Members’ need to protect their identities as a result of the Data Breach, yet, the offered services are inadequate to protect Plaintiff and Class Members from the threats they face presently and for years to come, particularly in light of the sensitive [personally identifiable information] at issue here,” the case reads.

The lawsuit looks to represent anyone in the United States whose personally identifiable information was compromised in the data breach first announced by Five Guys on or about December 29, 2022.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.