Dive Brief:
- Gas Express, the largest franchisee of Circle K convenience stores in the U.S., has been hit with a class action lawsuit over a data breach that impacted an undisclosed number of employees, according to documents filed last week with the U.S. District Court for the Northern District of Georgia.
- The lawsuit alleges that Gas Express, which operates about 160 Circle K c-stores across four states, failed to implement adequate data security to protect employees’ information. That information included names, social security numbers and driver’s license numbers.
- Gas Express is also under fire for failing to notify impacted employees of the breach when it happened. Although the company notified these individuals in mid-January, the suit claims Gas Express discovered the breach in May 2024, and this delay in reporting and identifying the attack “caused additional harm.”
Dive Insight:
The lawsuit was brought by Brittany Canup, a former Gas Express employee who last worked for the company in 2020. According to the lawsuit, when Canup was hired, she was required to provide her name, driver’s license number and social security number. At the time, Gas Express entered into “implied contracts” with its employees that it could adequately safeguard this information, according to the lawsuit.
In a letter Canup received from Gas Express on Jan. 13., the company shared that an “encryption incident” disrupted parts of its digital environment. As a result, the information Canup provided years ago “could have potentially been acquired by the unauthorized party” involved in this incident.
Canup’s lawsuit alleges that Gas Express breached its employee contracts when it experienced the attack and failed to use "reasonable data security measures” that could have prevented it. Additionally, the lawsuit notes that by not contacting employees when the breach initially occurred, Gas Express deprived them of their earliest ability to take protective measures.
According to the lawsuit, Gas Express has yet to offer an explanation for why it took seven months to contact impacted individuals of the breach.
“Early notification helps a victim of a Data Breach mitigate their injuries, and in the converse, delayed notification causes more harm and increases the risk of identity theft,” the lawsuit states. “Here, [Gas Express] knew of the breach and did not timely notify all victims.”
According to the lawsuit, Canup and other impacted employees have experienced several ramifications resulting from the breach, including financial costs incurred from identity theft. Since Gas Express still has this data, the company could be subjected to additional breaches if it doesn’t undertake adequate security measures, according to the lawsuit.
The number of employees affected by the breach is unknown until Gas Express discloses its records. When Gas Express filed a data breach report with the attorney general of Massachusetts in January, it noted that two people who live in Massachusetts had their information compromised in the incident.
Canup is seeking compensatory damages, reimbursement of out-of-pocket costs, and injunctive relief, including improvements to Gas Express’ data security systems, future audits of the company’s systems and long-term credit monitoring services for class members to be funded by Gas Express.
Representatives from Gas Express and Alimentation Couche-Tard, Circle K’s parent company, did not respond by press time to comment on the lawsuit.
