Panda Restaurant Group settles for $2.45M over data breach affecting 240,000 employees

Panda Restaurant Group has agreed to a $2,450,000 settlement to resolve a class action over a data-security incident that potentially affected about 240,295 current and former employees, court records show. The proposed deal resolves claims that employee personal information was accessed and aims to provide cash payments, reimbursement for documented losses, and identity-protection services to affected workers.

Plaintiffs lodged a range of claims including negligence, breach of implied contract, unjust enrichment, breach of fiduciary duty, and requests for declaratory and injunctive relief. The case is Halliday, et al. v. Panda Restaurant Group, Inc., No. 24STCV12667, pending in the Superior Court of California, County of Los Angeles. The parties say Panda did not admit wrongdoing and settled to avoid the expense and uncertainty of trial and potential appeals. "The Court has not decided who is right as part of the settlement process. The parties agreed to a settlement to avoid the cost and risk of a trial and related appeals."

Settlement materials filed in the case outline the timeline investigators provide: suspicious activity was detected in Panda’s network on March 10, 2024, with unauthorized access occurring between March 7 and March 11, 2024. On April 15, 2024 Panda confirmed that compromised files included full names, Social Security numbers, and dates of birth, and on April 30, 2024 the company reported the incident to the Office of the Maine Attorney General and began sending notification letters.

Eligible class members may choose between two primary monetary options. Documented-loss reimbursement is available for out-of-pocket expenses up to $5,000 per claimant, with the settlement noting that "[...] all documented-loss claims must be accompanied by proof of the claimed expenses, including invoices, receipts, bank statements, and similar documents that are not self-prepared." The alternative is a one-time cash payment estimated at about $100; "No proof or explanation is required from class members to receive the alternative cash payment." Those cash awards may be pro-rated based on the number of valid claims and deductions for attorneys’ fees, administrative expenses, and lead plaintiff service awards. Class members who lived in California at the time of the breach are eligible for an additional statutory payment of up to $125, which may also be pro-rated.

The settlement also provides identity-protection services, though filings differ on duration and scope. Some materials describe one year of credit monitoring and identity-theft restoration services while other settlement descriptions list two years of three-bureau monitoring, dark-web scanning, public-records monitoring, identity-theft insurance, and fraud resolution agents. A.B. Data Ltd. is listed as the settlement administrator for mailed claims at P.O. Box 173073, Milwaukee, WI 53217.

Important administrative dates include an exclusion and objection deadline of March 23, 2026, a frequently cited claim-form deadline of April 10, 2026, and a final approval hearing on April 20, 2026 at 10:30 AM PT; one settlement record shows an alternate claim deadline of April 13, 2026. Payments are expected to be distributed after the final approval hearing, pending court approval.

Affected workers should review any notice they received for claim instructions, gather non-self-prepared documentation for documented-loss claims if applicable, and submit timely claims to preserve eligibility. Employees seeking legal help were directed in outreach materials to contact Arnold Law Firm at (916) 777-7777. The settlement resolves the immediate claims but underscores an ongoing risk for restaurant workers: payroll and benefits data can expose sensitive information that requires prompt monitoring and clear communication from employers.