TL;DR: Gulshan Management Services, operator of 150 Handi Plus and Handi Stop convenience stores in Texas, got hit with ransomware in September 2025. Attackers had access to their systems for 10 days, stealing names, Social Security numbers, and driver's license numbers from 377,082 people. The company didn't start notifying victims until January 5, 2026, over 100 days later. Multiple law firms are now investigating potential class action lawsuits for the delayed notification.

The Breach

September 17, 2025: An employee at Gulshan Management Services clicked the wrong link.[1]

That phishing email gave attackers a foothold. They spent the next 10 days quietly moving through the company's network, reaching servers that held customer data. By the time Gulshan detected the intrusion on September 27, the damage was done.[2]

The attackers deployed ransomware, encrypting portions of the company's systems. But the encryption was just the finale, they'd already copied the data.

Here's what got stolen:

  • Names and contact information
  • Social Security numbers
  • Driver's license numbers
  • Government-issued ID numbers
  • Addresses
  • Financial information

The final count: 377,082 people affected, according to filings with the Maine Attorney General's office.[3]

Who Is Gulshan Management Services?

Gulshan Management Services is a Texas-based business services company operating approximately 150 convenience stores under the Handi Plus and Handi Stop brands.[4]

If you've filled up at a Handi Plus or Handi Stop in Texas and signed up for any loyalty programs, provided ID for age-restricted purchases, or applied for a job there, your data may be in this breach.

The 100-Day Silence

Here's what's making lawyers pay attention: Gulshan knew about this breach on September 27, 2025. They didn't start notifying affected customers until January 5, 2026.[1]

That's over 100 days.

Starting January 1, 2026, California law requires businesses to notify breach victims within 30 days of discovery.[5] Other states have similar requirements. While Gulshan is based in Texas, the breach affected residents of multiple states, including at least 54 people in Maine.

During those 100+ days, attackers had a head start on using stolen Social Security numbers and driver's licenses for identity theft, tax fraud, and account takeovers.

Gulshan's Response

According to breach notifications, Gulshan restored their systems using "known-safe backups", which typically means they didn't pay the ransom.[6]

The company is offering affected individuals complimentary credit monitoring services. No ransomware group has publicly claimed responsibility for the attack.

What Affected Customers Should Do

Freeze Your Credit, Now

With SSNs exposed, identity thieves can open accounts in your name. A credit freeze is free and prevents new accounts. Contact Equifax, Experian, and TransUnion directly.

Set Up IRS Identity Protection

Stolen SSNs are used for tax fraud. Apply for an IRS Identity Protection PIN at irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin.

Monitor Your Accounts

Check bank accounts, credit cards, and any financial accounts for unauthorized activity. Set up real-time transaction alerts.

Watch for Targeted Scams

Attackers with your personal info send convincing phishing emails. They know your name, address, and where you shop. Be suspicious of everything.

Consider a Fraud Alert

A fraud alert requires creditors to verify your identity before opening new accounts. It's less restrictive than a freeze but still adds protection.

Document Everything

Save breach notifications, monitor credit reports, and document any suspicious activity. You may need this evidence for insurance claims or legal action.

The Notification Problem

This breach highlights a persistent issue: companies take their time telling you when your data is stolen.

Businesses have incentives to delay notifications, investigation time, legal review, PR preparation. Meanwhile, criminals have your Social Security number and a 100-day head start.

California's new 30-day notification requirement is a step forward. But most states still allow much longer delays, and enforcement is spotty.

The result: you're the last to know when your data is stolen, but the first to suffer the consequences.

References

  1. PRNewswire - Privacy Alert: Gulshan Management Services Under Investigation for Data Breach (January 2026)
  2. JD Supra - Gulshan Management Services Data Breach After Email Phishing Attack (January 2026)
  3. eSecurity Planet - 377,000 Affected in Texas Gas Station Operator Breach (January 2026)
  4. CyberPress - Ransomware Attack on Texas Gas Station Firm Leaks 377,000 User Records (January 2026)
  5. Eye on Privacy - 2026 Data Breach Law Updates: California and Oklahoma
  6. ClassAction.org - Gulshan Management Services Data Breach (January 2026)
  7. GlobeNewswire - Murphy Law Firm Investigates Gulshan Management Services Data Breach (January 2026)