Chipotle Hit with Class Action Over Employee Data Breach: Why Hospitality Employers Should Take Note
Earlier this month, Chipotle Mexican Grill was sued in a putative class action, which claimed that a late-2025 breach of sensitive employee data was a result of the restaurant chain’s “wrongful, reckless, and grossly negligent” failure to employ adequate data security. Chipotle had disclosed its discovery of “signs of unauthorized logins” in an unspecified number of employees’ Workday accounts. According to the disclosure, the bad actors evidently attempted to tamper with workers’ Workday profiles, including trying to change deposit account information – presumably to divert direct deposit funds into their own pockets. Other pages of the breached Workday profiles reportedly can contain sensitive personal information, including social security numbers, dates of birth, and account and routing numbers. The lawsuit, in which plaintiff Christian Jasso seeks to represent a class of “thousands” of similarly situated employees, alleges that Chipotle is at fault for the breach, to the tune of over five million dollars.
A Stark Reminder for the Hospitality Industry
The Chipotle case is the latest in a long string of data security class actions arising in the hospitality space, which highlight the industry’s special concerns around cybersecurity. By its nature, the hospitality industry – a hustle-and-bustle business that does not lend itself to orderly data practices – is uniquely vulnerable. The business model often necessitates holding personal data of a large variety of individuals who reside all over the country, or even all over the world, raising the challenge of how to comply with the patchwork of often-inconsistent data privacy and security laws of many jurisdictions. Hospitality companies frequently offer guests free Wi-Fi, potentially opening an attack vector popular with cybercriminals. And a workforce frequently characterized by high turnover and seasonal hiring makes effective data hygiene and training a special challenge.
Risks Associated with Employee Data
Employee data, like that at issue in the Chipotle case, is an area of particular risk for hospitality companies. A restaurant or hotel may hold a huge amount of data about its guests, but its employees’ data is often far more sensitive in nature. Where guest data may be limited to identifiable information and credit card numbers, employee data often includes social security numbers, dates of birth, demographic information, information about next of kin, insurance information, employment history, and bank account information, among other things. Special care is required with such sensitive data and proactive employee training on potential cyberattacks is essential, as illustrated by the Chipotle case, in which the cyberattackers evidently tried to steal employees’ paychecks via direct deposit manipulation.
We're Here to Help
Post & Schell’s Hospitality and Retail Practice Group works hand in hand with the Employment and Labor Practice Group and the Data Privacy and Cybersecurity Practice Group to help companies proactively avoid and defend claims like those raised by the Chipotle case. Whether you are working to prospectively mitigate risk, your business has been the victim of a breach, or you have been sued over an alleged breach of privacy or security, we can help.
For questions, please contact Abraham J. Rein, Chair, Data Privacy and Cybersecurity and Chair, White Collar Defense and Investigations at 215-587-1057 or arein@postschell.com, Charles W. Spitz, Principal, Casualty Litigation Department and Co-Chair, Hospitality and Retail at 215-587-6629 or cspitz@postschell.com, Theresa A. Mongiovi, Chair, Employment and Labor at 717-391-4410 or tmongiovi@postschell.com, or the Post & Schell attorney with whom you normally consult.
About the Authors
Abraham J. Rein is a Principal in the Firm's Internal Investigations & White Collar Defense Group, Co-Chair of its Information Privacy & Security Group, and a member of the Firm's Diversity and Inclusion Committee. He focuses particularly on the intersection of technology and the law, advising clients on legal aspects of data security, social media compliance, electronic discovery, the application of certain constitutional rights in a digital era, and related topics.
Charles W. Spitz is Co-Chair of the Firm's Hospitality & Retail Practice Group. He focuses his practice on representing members of the hospitality industry in a variety of legal disputes in both state and federal court. His clients include local and national food & hospitality companies, including hotel chains, management groups, and restaurants, as well as a variety of retail companies.
Theresa A. Mongiovi is a Principal and Chair of the firm's Employment and Labor Practice Group. She concentrates her practice on representing businesses, municipalities, non-profits, and executives in all aspects of the employment relationship. She also represents clients in business and commercial litigation. She litigates in various administrative agencies including the EEOC and PHRC as well as all state and federal courts in Pennsylvania.