The Choice Hotels Data Breach Class Action refers to multiple lawsuits filed against Choice Hotels International, Inc. following a January 2026 social engineering attack that compromised sensitive personal information of franchisees and franchise applicants. The breach exposed names, contact information, Social Security numbers, and dates of birth—the kind of detailed data that identity thieves actively seek. For example, a franchisee applicant might have had their Social Security number and date of birth stolen, creating immediate risk for identity theft or tax fraud.
Choice Hotels announced the breach on January 26, 2026, weeks after the unauthorized access occurred on January 14, 2026. The company began notifying affected individuals on February 19, 2026, offering two years of free identity-theft protection through Epiq Privacy Solutions. Within days of the initial notification, multiple law firms began investigating the incident, and by late February 2026, at least five separate class action lawsuits had been filed in federal court. As of May 2026, no settlements have been reached; the cases remain in active litigation.
Table of Contents
- How Did Attackers Breach Choice Hotels’ Security?
- What Personal Information Was Compromised?
- What Legal Actions Were Filed Following the Breach?
- What Compensation and Support Can Affected Individuals Claim?
- What Are the Key Risks and Limitations You Should Understand?
- How to Protect Yourself and Monitor Your Information
- What’s Next for the Class Action Litigation?
How Did Attackers Breach Choice Hotels’ Security?
The breach occurred through a social engineering attack that successfully defeated the company’s multi-factor authentication (MFA) security measures. Rather than exploiting a software vulnerability or using brute-force password attacks, attackers manipulated individuals into granting access—a tactic that remains one of the most effective methods for bypassing even strong technical controls. The unauthorized session was shut down within one hour of detection, suggesting that the company’s monitoring systems worked properly once the attack was underway.
This highlights a critical limitation of MFA alone: determined attackers can sometimes trick employees into authorizing access even when multiple authentication factors are in place. Think of it like having a security guard at a building entrance who can still be socially engineered into letting someone through, even if they have multiple forms of ID to verify. The incident underscores why companies must combine technical security with regular employee training on social engineering tactics and zero-trust access policies.
What Personal Information Was Compromised?
The breach exposed highly sensitive data including names, contact information, Social Security numbers, and dates of birth. These weren’t just mailing addresses—the combination of SSN, name, and DOB represents the exact information needed to open fraudulent accounts, file false tax returns, or apply for loans in someone else’s name. The impact fell primarily on franchisees and franchise applicants, making this attack particularly damaging since these individuals have verifiable business operations and likely higher credit scores that make them attractive targets for identity thieves.
One critical limitation of the post-breach support offered by Choice Hotels: two years of free credit monitoring, while valuable, is not indefinite. Identity theft can occur years after a breach, and criminals may hold onto stolen data before using it. Franchisees and applicants should continue monitoring their credit reports and Social Security number usage well beyond the two-year complimentary period, potentially using other monitoring tools or freezing their credit at the three major credit bureaus (Equifax, Experian, and TransUnion) at no cost.
What Legal Actions Were Filed Following the Breach?
Multiple class action lawsuits were filed in the U.S. District Court for the District of Maryland, including Faulcon v. Choice Hotels International, Inc. (filed February 23, 2026) and Sanchez, et al. v. Choice Hotels International Inc.
(Case No. 8:26-cv-00781-TDC). Both lawsuits allege that Choice Hotels failed to maintain reasonable security procedures and practices, allowing the social engineering attack to succeed. Attorneys with Wolf Haldenstein Adler Freeman & Herz LLP, Edelson Lechtzin LLP, Strauss Borrelli PLLC, Cole & Van Note, and SLFLA have all issued data breach investigation notices. The fact that multiple law firms filed separate cases, rather than a single unified action, shows how fragmented litigation can be in the early stages of a data breach. Different plaintiffs’ attorneys sometimes pursue slightly different angles or represent different groups of affected individuals, but eventually cases may consolidate into a multi-district litigation (MDL) for efficiency. As of May 2026, the cases remain in investigation and early litigation phases—no settlements have been announced, meaning affected individuals cannot yet file claims or receive compensation through a class action settlement.
What Compensation and Support Can Affected Individuals Claim?
Currently, Choice Hotels is providing two years of free credit-monitoring and identity-theft protection through Epiq Privacy Solutions at no cost to affected individuals. This includes credit reports, credit scoring, identity theft insurance, and fraud resolution services. For those who have already experienced identity theft related to the breach, this may help mitigate damages. However, this is not the same as monetary compensation—it’s preventative support.
Once a class action settlement is eventually reached (if one is approved by the court), affected individuals may become eligible for direct compensation. This could take the form of cash settlements, extended credit monitoring, or a claims process where individuals with documented losses can seek reimbursement. A key tradeoff: settlements typically involve trade-offs between speed and payout size. A settlement reached quickly might offer smaller per-person payouts, while a longer litigation process could yield larger payouts but takes years to resolve. Individuals should monitor the litigation progress and watch for official notices about any future settlement agreements.
What Are the Key Risks and Limitations You Should Understand?
Franchisees and franchise applicants who experienced this breach face specific vulnerabilities. Unlike customers of a hotel chain, franchisees are business owners or entrepreneurs with established financial profiles—exactly the type of identity that criminals target for opening business lines of credit or applying for loans. A warning: the two-year monitoring period through Epiq expires, but identity theft risks may persist indefinitely.
Credit monitoring companies can alert you to new accounts opened in your name, but they cannot prevent determined criminals from attempting fraud. Another limitation to understand: participating in a class action as an affected individual typically requires proving that you were notified of the breach and that your data was compromised. Choice Hotels mailed notification letters starting February 19, 2026. If you were a franchisee or applicant and did not receive this notification, you may need to take steps to register yourself with the class action claims process (when one becomes available) or contact one of the investigating law firms directly.
How to Protect Yourself and Monitor Your Information
If you received a notification letter from Choice Hotels, immediately enroll in the free Epiq Privacy Solutions credit monitoring (check the notification letter for the enrollment code and deadline). Beyond that, place a fraud alert with at least one of the three major credit bureaus—this is free and alerts creditors to verify your identity before opening new accounts. For stronger protection, consider a credit freeze, which prevents new credit from being opened in your name without your explicit authorization.
Check your Social Security Administration account at ssa.gov and your IRS account at irs.gov to ensure no fraudulent activity appears. Review your annual credit reports at annualcreditreport.com—you’re entitled to one free report per year from each bureau. Document the breach notification you received from Choice Hotels, as you may need proof of notification to file a claim in the eventual class action settlement.
What’s Next for the Class Action Litigation?
As of May 2026, the Faulcon and Sanchez cases are in the early investigation phase. Both cases assert that Choice Hotels’ inadequate security measures allowed the breach to occur, establishing negligence and violation of consumer protection laws. The typical timeline for data breach class actions can range from one to three years before a settlement is reached and approved by the court.
During this period, discovery will reveal more details about Choice Hotels’ security practices, the attack timeline, and the company’s response procedures. Eventually, if a settlement is reached, affected individuals will receive formal notice explaining how to submit claims, what documentation is required, and the deadline for filing. Legal fees and administrative costs are typically paid from the settlement fund before individual payouts, meaning the amount each person receives is less than the total settlement value. Stay informed by periodically checking the court dockets for the Faulcon and Sanchez cases or signing up for case updates through the investigating law firms’ websites.