ST. LOUIS — Four class-action lawsuits have been filed against Panera Bread alleging damages caused by a data breach.
Nasia Sanchez, David Forster, Samantha Baldwin and Mathew Baldwin and Nia Buchanan all filed lawsuits in federal courts in Missouri against Panera Bread on June 18 — three in U.S. District Court for the Eastern District of Missouri and one in U.S. District Court for the Western District of Missouri.
The plaintiffs claim Panera failed to secure and safeguard their and other class members' personally identifiable information (PII). This information includes sensitive data, like names and Social Security numbers.
According to the suits, the lawsuit stems from a massive cyberattack discovered on June 13.
Although Panera claims to have discovered the breach on March 23, they did not notify the affected individuals until June 13, leaving them in the dark about the breach's duration and scope, the complaints state.
The plaintiffs only learned of the breach through letters from Panera.
The class actions state that Panera had collected and stored the sensitive information, fully aware that it would be used for services provided to the plaintiffs and class members.
Despite this, the company allegedly failed to implement adequate measures to protect the data.
The plaintiffs contend that Panera acted intentionally, willfully, recklessly and negligently by not ensuring the data's security, failing to prevent unauthorized disclosure and not adhering to necessary data encryption protocols.
As a result of the breach, the plaintiffs and class members have faced significant repercussions, including time and effort spent addressing the breach's impact, exploring credit monitoring and identity theft insurance options, self-monitoring accounts and seeking legal counsel, according to the suits.
The plaintiffs claim actual injury due to the breach and note that cybercriminals are exploiting the data for financial gain and can sell that data on the dark web.
The plaintiffs claim that Panera failed to take appropriate steps to secure the data despite the known risks and the prevalence of such cyberattacks in the industry, which has left the plaintiffs exposed to potential future breaches and ongoing threats.
The lawsuits note that the defendant failed to take reasonable measures to meet data security obligations and should have taken appropriate measures to protect against unauthorized access.
"Several best practices have been identified that—at a minimum—should be implemented by businesses like Defendant," one of the lawsuits states. "These industry standards include: educating all employees; strong passwords; multi-layer security, including firewalls, anti-virus, and antimalware software; encryption (making data unreadable without a key); multi-factor authentication; backup data; and limiting which employees can access sensitive data."
The lawsuits note that the defendant failed to even meet the minimum standards of cybersecurity frameworks.
The plaintiffs are seeking compensatory damages. They are represented by Maureen M. Brady of McShane & Brady in Kansas City; M. Anderson Berry, Gregory Haroutunian and Michelle Zhu of Clayeo C. Arnold in Sacramento, Calif.; Raina C. Borrelli and Samuel J. Strauss of Strauss Borrelli in Chicago; J. Matthew French of Morgan & Morgan in St. Louis; Patrick A. Barthle of Morgan & Morgan in Tampa, Fla.; Ryan D. Maxey of Maxey Law Firm in Tampa, Fla.; and Laura Grace Van Note of Cole & Van Note in Oakland, Calif.
The attorneys for the parties declined to comment further on the class actions.
U.S. District Court for the Eastern District of Missouri case numbers: 4:24-cv-00847, 4-24-cv-00848, 4-24-cv-00849; U.S. District Court for the Western District of Missouri case number: 2:24-cv-04099