Dive Brief:
- 7-Eleven was hit with a cybersecurity attack earlier this spring that exposed some franchisee information, a company spokesperson confirmed to C-Store Dive on Tuesday.
- The retailer learned on April 8 that an unauthorized third party gained access to certain 7-Eleven systems used to store franchisee documents, Jim Kastle, 7-Eleven’s chief information security officer, said in a letter sent to impacted individuals on May 1. Those documents included personal information provided to 7-Eleven during the franchise application process.
- About 50 people in Massachusetts, Maine and Vermont were impacted by the incident, according to data breach filings presented to those states last week. It’s not clear if other individuals across the country were also affected.
Dive Insight:
7-Eleven’s spokesperson said that the convenience retailer “immediately launched an investigation and began taking steps to contain the incident” upon discovering it. The company has notified law enforcement and retained third-party cybersecurity experts, and hasn’t experienced any disruption to operations, the spokesperson emphasized.
“We identified a limited number of current, former, and prospective Franchisees whose data was involved in this incident, and we are in the process of contacting those affected individuals,” 7-Eleven’s spokesperson said. “We have no reason to believe that customer data was affected.”
In the May 1 letter, Kastle said the franchisee information obtained in the breach included names and addresses, among other elements. The Vermont filing noted that the breach included Social Security numbers, while the Massachusetts site noted Social Security numbers and drivers license data were compromised.
Kastle added that 7-Eleven has arranged for impacted individuals to enroll in identity theft protection services with theft protection agency IDX for up to 24 months.
The breach impacted 47 people in Massachusetts, 2 in Maine and one in Vermont, according to each state’s filing.
“We also wanted to apologize for any inconvenience this may cause you,” Kastle said in the letter.
7-Eleven’s confirmation of the breach comes several weeks after reports surfaced that cyber gang ShinyHunters claimed responsibility for the attack, which it said compromised more than 600,000 Salesforce records from the convenience retailer. 7-Eleven’s spokesperson did not respond by press time when asked about this information. In April, a spokesperson from Salesforce declined to comment when asked to confirm the reports.
7-Eleven isn’t the only major convenience retailer to have recently suffered a cyber attack. Gas Express LLC, a Circle K franchisee that has about 200 locations, reported a breach in January that exposed employees’ names, social security numbers and driver’s license numbers. About three weeks later, Gas Express was sued in Georgia for failing to protect its employees during the breach, as well as for failing to notify impacted employees of the breach when it happened. That lawsuit was settled earlier this month.
