This one is close to home. Bojangles — the Charlotte-based chicken-and-biscuits institution with roughly 800 locations across 17 states — is back in North Carolina headlines this week, and not for a new menu item. A North Carolina Business Court judge has ruled that a class-action lawsuit over the company’s 2024 data breach can move forward, largely denying Bojangles’ bid to have the case thrown out. The breach itself happened more than two years ago. The fallout, clearly, did not end with it.
There is a lot packed into this story — what was taken, who it hurt, and a legal saga that has bounced between federal and state court. But for a business owner, two lessons tower over the rest: the data that got these workers hurt was employee data, the kind every single employer holds, and the consequences of a breach can keep landing punches for years after the intrusion is over. Let’s break it down.
The story so far, at a glance
| Feb 19 – Mar 12, 2024 | Attackers spend roughly three weeks inside Bojangles’ corporate systems. The lawsuit attributes the breach to a criminal group reported to be linked to Russian hackers. |
| What was taken | According to the suit, more than 387,000 files of current and former employees’ information, later shared on the dark web. |
| Who was affected | Employees — not customers. Bojangles has said customer data was not impacted. |
| Jan 2025 | Current and former workers file a class-action lawsuit, seeking compensation and demanding the company improve its cybersecurity. |
| Sept 2025 | A federal judge dismisses the case — not because the breach didn’t happen, but because plaintiffs couldn’t yet show their data had actually been misused. |
| Feb 2026 | The workers refile in North Carolina Business Court. |
| July 2026 — this week | The state judge largely denies Bojangles’ motion to dismiss. The case moves forward. |
What was actually in those files
Court filings and news reports describe the stolen employee records as containing exactly the categories of information an identity thief dreams about:
- Names and home addresses
- Social Security numbers
- Driver’s license numbers
- Financial details
- Medical records
Take a moment with that list, because it is the heart of this whole story. None of that is customer data. It is the paperwork of employment — the information every person hands over on their first day of work, trusting their employer to keep it safe. When it leaks, the victims cannot simply cancel a card and move on. A Social Security number, a license, a medical history: these follow a person for life, and so does the exposure.
The lesson hiding in plain sight: you hold this data too
It is easy to read “800 locations in 17 states” and file this under big-company problems. But look again at what was stolen. Every employer in America — the five-person shop as much as the national chain — collects and keeps this exact kind of information. If you have ever hired anyone, somewhere you are holding:
- Tax and hiring paperwork — W-4s and I-9s carrying Social Security numbers and copies of licenses or passports
- Payroll and banking details — direct deposit forms with routing and account numbers
- Health-adjacent records — insurance enrollments, doctor’s notes, workers’ comp files
- Everything else — emergency contacts, home addresses, birthdates, applications from people you never even hired
And here is the uncomfortable question this story should raise: could you say, right now, exactly where all of that lives? In most small businesses the honest answer is “sort of.” Some of it is in a payroll platform. Some is in old email attachments. Some is in a spreadsheet on somebody’s desktop, a filing cabinet, a former manager’s laptop, a folder synced to a personal cloud account years ago. Employee data is the data businesses forget they have — collected once, needed rarely, and quietly accumulating for as long as the business exists. Nobody is watching it, precisely because nobody is using it. That is what makes it such a soft target.
The second storm: a breach doesn’t end when the hackers leave
Now look at the timeline again, because it teaches the other big lesson. The intrusion lasted about three weeks in early 2024. The consequences are still unfolding in July 2026 — two and a half years later — with no end date in sight. Dismissed in one court, revived in another, surviving a motion to dismiss this very week. Every step means legal fees, executive attention, discovery, depositions, and a fresh round of unflattering headlines with the company’s name next to the words “data breach.” The hackers were in the building for weeks. The lawsuit has already lasted eighteen months and counting.
That is the modern reality of a breach, and it scales down to small businesses in ways that are arguably worse. A large chain can absorb years of litigation. For a small business, even a fraction of that — an attorney on retainer, state notification requirements, a regulator’s letter, a handful of former employees with a legitimate grievance — can be an existential drain. And notice what the workers’ suit demands beyond money: it asks the court to force better cybersecurity. That reflects where the law is heading everywhere. Protecting the data you hold is increasingly treated not as a nice-to-have, but as a duty you owe the people who trusted you with it — and failing that duty is treated as negligence.
What this means for every North Carolina business
Boil the whole saga down and the takeaways are refreshingly plain:
- Employee data is radioactive. It is every bit as damaging to lose as customer data — arguably more, because it is richer and its victims are the people who show up for you every day.
- You hold it whether you think about it or not. Every W-4, direct deposit form, and insurance enrollment you have ever collected is still somewhere. The question is where, and who can reach it.
- The aftermath outlasts the attack. Three weeks of intrusion, two and a half years (so far) of consequences. The cheapest time to deal with a breach is before it happens.
- “We didn’t know” is not a defense. The direction of travel in courtrooms — including one in our own state, this week — is that safeguarding the data you hold is simply part of being in business.
Know what you hold, and where it lives
Here is the good news: the first and most valuable step costs nothing but honesty. Before any tool or policy, a business simply needs to know what sensitive information it actually holds, where every copy of it lives, and who can get to it. That inventory is exactly what almost no small business has ever done — and it is the difference between a company that can protect its people and one that finds out what it was holding only after someone else does.
That is precisely what our environment review delivers. We sit down with you and map, in plain language, the sensitive data your business holds — employee records very much included — where it is stored, what is protecting it, and where the quiet exposures are hiding. No jargon, no scare tactics, no obligation. A Charlotte company is spending its third year learning how expensive this question becomes when it gets answered by attackers and attorneys. Answer it on your own terms instead. Your employees handed you their Social Security numbers on day one because they trusted you. Let’s make sure that trust is well placed.
Sources: Law360; WSOC-TV; WCNC Charlotte; DataBreaches.net; court filings, 2024-2026. Allegations described here are claims from the ongoing lawsuit; Bojangles has said customer data was not impacted.













