Golden Corral faces class-action suit over 2023 data breach

Dive Brief:

  • Golden Corral failed to properly secure and safeguard employees’ personally identifiable information in the wake of a 2023 data breach, an employee alleged in a class-action lawsuit filed last week.
  • According to the complaint, filed in the U.S. District Court for the Eastern District of North Carolina, Golden Corral discovered the breach by cybercriminals in August 2023. The restaurant chain allegedly waited “roughly six months” after the discovery to notify persons, including the plaintiff, whose information had potentially been compromised.
  • The suit asks for a jury trial as well as injunctive and other equitable relief including requiring Golden Corral to delete and purge affected employees’ personally identifiable information unless the company can provide justification for its retention and use. Golden Corral did not immediately respond to a request for comment.

Dive Insight:

If recent years have made anything clear to HR, it’s that employer databases are prime targets for cybercrime.

More than 180,000 people were affected by the Golden Corral breach, according to a public notification published by the Office of the Maine Attorney General. The same notice found that the information compromised in the breach included names and other personal identifiers in combination with Social Security numbers.

According to the class-action suit, Golden Corral offered affected persons a two-year subscription to an identity theft monitoring and protection program offered by credit reporting firm Experian. However, the plaintiff alleged that this offer “is inadequate when the victims will likely face many years of identity theft.”

HR data security presents a challenge for employers in part because it may flow through several vendors and third parties for operational purposes, sources previously told HR Dive. Cyber criminals also may leverage HR-related concerns in order to perpetrate phishing attacks, which ask victims to click on suspicious links or comply with fraudulent requests. Security training firm KnowBe4 found in a 2023 report that about half of email subject lines clicked during phishing tests contained HR-related messaging.

One of the worst breaches in recent cybersecurity history involved HR vendor UKG. The 2021 attack, which affected the company’s Kronos Private Cloud timekeeping and payroll services, knocked out critical HR functions for weeks and led to millions of dollars in payouts for lost wages, benefits and other compensation.

Training is key for organizations as they prepare employees for potential attacks, but experts in the industry also have called for the creation of comprehensive plans that can be activated in the event of a breach. Elements of such plans may include notification protocols, identification of any compromised information and communications strategies to keep employees notified.