Gulshan Management Services, Inc., a Texas-based company that operates over 150 gas stations and convenience stores under the Handi Plus and Handi Stop brands all over the United States, has confirmed a large-scale data breach that exposed personal information tied to more than 377,000 people.
The incident came to light through a filing with the Maine Attorney General, a required step when residents of that state are affected. According to the disclosure, attackers gained unauthorized access to an external system between September 17 and September 27, 2025. The breach was discovered on September 27, suggesting it went undetected for several days before being identified.
The Maine filing states that names or other personal identifiers were exposed, which already raises identity theft risks. However, a separate report submitted to the Texas Attorney General reveals more information, indicating that the breach may have involved the following data:
- Address
- Name of individual
- Social Security number
- Driver’s license number
- Government-issued ID number, such as a passport or state ID card
- Financial information, including bank account numbers and credit or debit card numbers.
What’s worse, consumer notifications did not go out until January 5, 2026, more than three months after the breach period ended. According to the filing, Gulshan Management Services, Inc., sent written notices to affected individuals, but public disclosures do not clearly show whether credit monitoring or identity protection was offered.
Lawsuits
According to ClassAction, the company is now facing several class action lawsuits and investigations alleging its management failed to take reasonable steps to secure sensitive data and waited too long to alert those impacted.
Gulshan runs close to 150 gas stations and convenience stores across multiple states, placing it in daily contact with employee records, vendor systems, and consumer-facing data. This type of infrastructure is a common target for attackers because operations rely on interconnected systems that are often managed with limited security oversight.
If you have received notification letters, keep an eye on your card and banking activities, inform your bank to block any unusual transactions, and watch out for unexpected calls or emails in which hackers can pretend to be authorities, aiming at stealing more of your information.