A 7-Eleven has a disarmingly ordinary quality. You in for a snack or coffee, give your information without giving it much thought, and go. The transaction seems insignificant. However, two plaintiffs are currently arguing in a federal trial in Texas that this ordinariness was precisely the issue—that 7-Eleven handled consumer data the same way it handled a bag of chips, which is to be moved fast with little regard for its future.
Carl Ellison and Rebecca Choplin filed two different class action lawsuits based on the same allegation: that 7-Eleven did not sufficiently safeguard its customers’ personally identifiable information during a data breach that was detected in April 2026. It wasn’t a subtle violation. In a dark web blog post on April 17, a cybercriminal extortion organization named ShinyHunters claimed credit for stealing over 600,000 records from the company’s network. The accusations stated that the records were neither encrypted or deleted. According to the terminology used in both claims, they were just sitting there.
In certain circles, the moniker ShinyHunters is not new. Over the past few years, the gang has been linked to high-profile incursions at other large corporations, and its operations have a certain grim efficiency. Publicly announce the breach, make the data available for download, and then watch for panic.
According to the accusations, the group in this instance appears to have used precisely that strategy, posting hundreds of thousands of sensitive documents on its dark web site where anyone might potentially read them. It’s still unknown if all those documents have been abused. However, Ellison and Choplin contend that the exposure itself is the harm, and it was completely preventable.
The terminology used in the cases is what makes them especially targeted. Early and frequently, the phrase “negligent and/or careless” is used. In addition to failing to follow normal security procedures, 7-Eleven is accused in both documents of failing to “even encrypt or redact this highly sensitive information”—a claim that becomes more compelling the more you consider it. Encryption is not a novel concept. Frontier technology is not costly. Right now, it’s a fundamental expectation. A jury is likely to find resonance in the allegation that a business the size and scope of 7-Eleven would have omitted that step.
Additionally, both lawsuits target what they characterize as a purposeful concealment of the extent of the intrusion. They claim that 7-Eleven neglected to notify customers of the occurrence for “an unreasonable duration of time” and that its security procedures were insufficient in the first place. In some respects, this is the more serious charge—not only that the breach occurred, but that individuals were unaware of it while their data was ostensibly already accessible for download on the other side of a Tor browser. It is simple to comprehend the frustration that led to such accusation.
Leanna A. Loginov of Shamis & Gentile P.A. and John J. Nelson of Milberg PLLC represent Ellison; Loginov also represents Choplin. In order to potentially broaden the scope of any decision or settlement that is ultimately reached, both plaintiffs aim to certify nationwide classes that include all individuals whose information was exposed. They seek injunctive relief, nominal damages, consequential damages, and actual damages—basically, money and a court order compelling 7-Eleven to make real repairs.
It’s important to note that 7-Eleven has recently encountered more legal issues. Bank of America agreed to pay $2.25 million earlier this year to resolve allegations that it imposed out-of-network ATM fees at 7-Eleven locations. This is a different issue, but it serves as a reminder that the company has been under legal investigation. A completely different kind of weight is added by the data breach litigation. Customers increasingly anticipate that their information will be treated with rudimentary competence when they share it, even inadvertently, even at a convenience shop. It appears that a federal court will now determine whether 7-Eleven complied with that requirement.
