
A North Carolina Business Court judge is keeping the heat on Bojangles, refusing to toss a class action that accuses the Charlotte-based chain of leaving thousands of employee records exposed after a 2024 cyberattack. In a June 29 opinion, Judge Julianna Earp allowed most of the workers’ claims to move ahead, including allegations that the company failed to secure sensitive files and dragged its feet on alerting staff. The suit says names, Social Security numbers, driver’s license information and health data were accessed, dumped on the dark web and now warrant damages and court-ordered security upgrades.
According to The Charlotte Observer, Earp’s order keeps several major claims alive while trimming narrower invasion-of-privacy counts. The paper reports that the judge found the workers could not hang negligence claims solely on the FTC Act or HIPAA under North Carolina law, but otherwise left intact accusations about late notice and inadequate data protections.
Company Notice And What Was Taken
In its own public data-security notice, Bojangles says investigators first spotted suspicious activity on March 12, 2024 and later determined that certain files were viewed and downloaded between February 19 and March 12. The company says the breach “impacted employee information only” and lists potentially involved data types that match the lawsuit, including Social Security numbers, driver’s license numbers and medical information. To blunt the fallout, Bojangles offered affected workers one year of complimentary credit monitoring and identity-restoration services, as outlined in Bojangles.
What Workers Say
In court filings, employees say a group tied to the ransomware operation known as “Hunters” bragged online that it had posted more than 387,000 Bojangles files totaling roughly 290 gigabytes on a dark-web site. They claim some staffers have already dealt with fraud and out-of-pocket costs tied to the leak. The requested relief includes money damages, class certification and court orders forcing security upgrades and ongoing monitoring, as detailed in the ALM copy of the complaint. One named plaintiff has reported a small fraudulent debit charge, according to the filings and media coverage.
Court History And Legal Issues
This is not the first stop for the case. The workers initially sued in federal court, but that version of the lawsuit was dismissed in September 2025 for lack of Article III standing after the judge applied the U.S. Supreme Court’s TransUnion standard. The federal court concluded the plaintiffs had not laid out enough concrete misuse of their data to support damages claims, according to the memorandum and order available on Justia.
What’s Next
After that setback, the plaintiffs refiled in Wake County Superior Court in December 2025, and the case was sent to the North Carolina Business Court in February 2026. The state-court matter is captioned Dougherty v. Bojangles, 25-CVS-46572. CourtListener records reflect Judge Earp’s June 29 ruling that keeps most claims in play, and legal analysts say the decision fits a broader trend of state courts probing how far data-breach remedies can go now that federal standing rules have tightened. Industry coverage from Law360 notes the Business Court declined to give Bojangles an early exit.
Why It Matters In Charlotte
Bojangles, a Carolina-born restaurant brand with roughly 800 locations and a corporate support center at 500 Forest Point Circle in Charlotte, reports employing nearly 10,000 people. For that local workforce, the Business Court’s ruling keeps alive the question of whether employees hit by a breach can not only recover damages but also force long-term security changes at one of the region’s marquee employers. The decision sets up what could be a drawn-out state-court fight over class certification and the scope of any relief. Attorneys for both the plaintiffs and Bojangles did not immediately respond to requests for comment.









