Monro appoints new CEO, faces cyber breach lawsuit

Monro, Inc., recently appointed a new president and CEO to lead the company following a significant cyber breach that occurred in late 2024. The company is facing a class action lawsuit as a result of this breach. Allegations suggest that Monro had inadequate security measures in place to protect sensitive personal information of both employees and customers from cybercriminals, making it vulnerable to the attack.

The lawsuit, filed in state Supreme Court in Monroe County, claims that Monro’s email system had weaknesses that hackers exploited to gain access to personal information. This legal action coincided with the departure of Michael Broderick as president and CEO, and the appointment of Peter Fitzsimmons, an executive from AlixPartners, to assume the leadership role in the company.

According to a company statement, the decision to change leadership was made to enhance operational efficiency, increase profitability, and improve shareholder returns. The lawsuit, filed on behalf of Susan J. Langenfeld and others affected, argues that Monro’s negligent IT practices and failure to implement proper security measures led to the breach. This breach resulted in the exposure of personal data, including names, social security numbers, addresses, dates of birth, ID numbers, and health information of employees.

The complaint suggests that the cyberattack did not require sophisticated hacking techniques but rather exploited existing vulnerabilities in Monro’s IT systems. It alleges that despite having the resources to protect sensitive information, Monro failed to invest in adequate safeguards. The lawsuit lists several negligent acts by Monro, including the failure to maintain secure data systems, implement timely updates and patches, monitor third-party security systems, and enforce robust security practices.

The legal action seeks compensatory damages, restitution for damages incurred, and a refund for any overpaid services. The lawsuit holds Monro accountable for failing to prevent the data breach and protect the personal information of its employees and customers. Monro notified its customers about the breach and emphasized the importance of safeguarding their information following the cyber security incident.

In conclusion, Monro’s appointment of a new CEO and the class action lawsuit illustrate the serious repercussions of cyber breaches and emphasize the critical need for companies to prioritize cybersecurity measures to protect sensitive data. The legal action serves as a reminder to businesses of the potential consequences of inadequate data security practices and highlights the importance of implementing robust measures to safeguard personal information.