A Texas-based gas station operator recently informed the Maine Attorney General’s Office of a significant data breach that compromised the personal information of over 377,000 people. The incident involved Gulshan Management Services, a firm linked to the management of approximately 150 Handi Plus and Handi Stop locations across Texas.
The security breach was first identified in late September when the company noticed unauthorized activity within its internal IT infrastructure. A subsequent forensic investigation determined that the intruders gained access to the network through a successful phishing campaign. The attackers maintained an undetected presence on the company’s systems for ten days before they were finally discovered and removed.
During the period of unauthorized access, the threat actors managed to exfiltrate sensitive personal data belonging to hundreds of thousands of individuals. The stolen information reportedly included full names, contact information, Social Security numbers, and driver’s license numbers. Following the data theft, the attackers deployed ransomware that encrypted various files throughout the corporate network in an attempt to disrupt operations.
Despite the deployment of ransomware, no specific cybercriminal organization has stepped forward to claim responsibility for the intrusion on a public leak site. While the lack of a public claim can occasionally imply that a victim paid a ransom to keep the event private, the company’s official filing suggests a different course of action. Gulshan indicated that it successfully restored its digital environment using secure backups.
The decision to rely on backups typically signals that an organization chose to rebuild its systems independently rather than entering into negotiations with the attackers. The company has since concluded its initial probe and is fulfilling its legal obligation to notify the affected individuals and state regulators about the extent of the exposure.
Source: 377,000 Impacted By Data Breach At Texas Gas Station Company
Solid approach using backups instead of paying ransom. Ten days of undetected access is concerning though - that's a huge window for lateral movement and data exfil. The phishing vector combined with that dwell time shows why modern backup strategies need to go beyond just having copies. I've seen scenarios where attackers specifically target backup infrastrucure to force the ransom payment, so air-gapped or immutable backups are becoming kinda essential.