A data breach at convenience store chain 7-Eleven has exposed personal information belonging to more than 185,000 people, according to data breach notification service Have I Been Pwned. The compromised information includes names, dates of birth, physical addresses, phone numbers, and email addresses.
The incident highlights the ongoing threat that ransomware and extortion groups pose to retail companies, which often handle large amounts of customer data through loyalty programs, mobile apps, and franchisee systems. For affected individuals, the breach creates potential risks for identity theft and targeted phishing attacks.
Have I Been Pwned reported that the ShinyHunters hacking group claimed responsibility for the attack, which they described as a hack-and-extortion operation. The group threatened to publish the stolen data publicly if 7-Eleven refused to pay their demands.
According to filings with state attorneys general offices, the hackers gained access to an internal server that contained franchisee documents. Jim Kastle, 7-Eleven’s chief information security officer, confirmed the breach in a listing with Maine’s attorney general’s office. A separate filing with Massachusetts authorities revealed that the compromised data also included Social Security numbers and driver’s licenses.
The ShinyHunters group has been linked to numerous high-profile data breaches over the past few years, often targeting companies with valuable customer databases. Their typical approach involves stealing sensitive data and then demanding payment to prevent its public release.
The breach affects a significant number of people and includes the type of personally identifiable information that can be used for identity theft. The combination of names, birth dates, addresses, and Social Security numbers gives criminals enough information to potentially:
- Open fraudulent accounts
- File false tax returns
- Apply for government benefits
- Conduct targeted social engineering attacks
7-Eleven operates thousands of locations across the United States, making it an attractive target for cybercriminals seeking access to large customer databases. The company’s franchise model, which involves sharing customer and business data with independent store owners, can create additional security challenges and potential entry points for hackers.
This incident adds to a growing list of retail data breaches that have affected millions of consumers in recent years. Companies in the retail sector face particular challenges in securing customer data because they often collect information through multiple channels, including mobile apps, loyalty programs, and point-of-sale systems.