17 Months. 167,000 People. One Company’s Silence.

On September 18, 2020, malware quietly embedded itself inside the server run by Freestyle Solutions, the third-party vendor Ruger hired to host its ShopRuger.com e-commerce website. The malware sat there, undetected, harvesting customer data for 17 consecutive months until February 3, 2022. Ruger’s own vendor discovered and removed it on August 2, 2022, which is the date Freestyle Solutions first notified Ruger of the problem. That’s over six months between removal and even that internal notification.

Every single person who bought anything on ShopRuger.com during that window had their full name, home shipping address, billing address, email address, credit or debit card number, card security code, and card expiration date captured by criminals. The complaint also notes that the stolen data included what each customer bought, how much they paid, and how many items they purchased. That combination is especially dangerous: it tells criminals exactly which homes contain firearms purchased by gun owners who trusted a gun company to protect them.

Ruger finally mailed notice letters on August 18, 2022, more than seven months after the malware was removed from its vendor’s server, and nearly two full years after the breach began. By that point, the stolen data had already been in criminal hands long enough to be packaged, sold, resold, and weaponized on dark web markets multiple times over.

How the Theft Actually Worked

Payment card encryption is supposed to scramble your card data the instant you hit “submit,” so that even if someone intercepts it, they get useless gibberish. Ruger failed to implement that encryption at the point of entry. The complaint states that data was captured at the moment a customer clicked the submission button on the checkout form, in the brief window before encryption occurred. Ruger essentially built a revolving door at the exact moment your card number was most vulnerable, and criminals walked through it 167,000 times.

The Payment Card Industry Data Security Standards (PCI DSS) exist specifically to prevent this. These are mandatory industry-wide standards that any company accepting card payments must follow. The lawsuit alleges Ruger violated them completely, failing to encrypt data at point-of-sale, failing to install security updates and patches in a timely way, failing to implement proper system monitoring, and failing to audit its vendor’s security practices even once during the 17-month attack.

The Non-Financial Ledger: What They Stole That Can’t Be Refunded

Mark Jones, the named plaintiff in this case, did everything right. He visited ShopRuger.com, trusted the checkout process, and used his Discover credit card to complete his purchase. He was then informed his items were out of stock. He waited. The order was eventually cancelled. But Ruger kept his personal and financial information on file. What happened next is a pattern that played out for 167,000 people: five fraudulent charges appeared on his Discover card. He spent hours on the phone disputing them. He cancelled and reissued his card. He reviewed his credit reports. He researched identity theft protection services. He lost money. He lost time. He lost sleep.

The complaint documents that Jones suffered “anxiety as a result of the release of his Private Information, which he believed would be protected from unauthorized access and disclosure, including anxiety about unauthorized parties viewing, selling, and/or using his Private Information for purposes of identity crimes, fraud, and theft.” That anxiety is rational, documented, and ongoing. It does not end when you cancel a credit card. It follows you for years because, as the U.S. Government Accountability Office has confirmed, stolen data can sit in criminal hands for over a year before it is deployed, and fraudulent use can continue for years after that.

This was a customer base of gun owners and firearms accessory buyers. The data criminals obtained included the nature of each purchase alongside the home shipping and billing address of the buyer. The complaint is explicit about the specific threat this combination creates: criminals can use that information to identify the homes of firearm owners in order to steal firearms they cannot legally obtain through normal channels. These are not abstract privacy harms. These are home invasion threat vectors, manufactured by a gun company’s refusal to invest in basic security.

Ruger’s offered remedy was 12 months of identity theft detection services. The complaint describes this as “wholly inadequate” given that the risk to these customers extends for years into the future, potentially a lifetime. Ruger collected the data, profited from the transactions, pocketed the money it should have spent on security, and then handed victims a one-year band-aid for a wound that may never fully close. Every person on that list now faces years of constant surveillance of their own financial life, monitoring accounts, freezing credit, disputing charges, and living with the knowledge that their home address is in a criminal database alongside a record of the firearms equipment they own.

Legal Receipts: What Ruger Actually Admitted

Admission #1: The Data Was Unprotected at the Exact Moment of Capture

“As Defendant admits in its Notice Letter, the Private Information ‘was captured when a customer clicked the ‘submission’ button on the checkout form, immediately before the data was encrypted and stored . . . .'” Class Action Complaint, Paragraph 32 — citing Ruger’s own Notice Letter to affected customers, August 18, 2022

Admission #2: The Malware Ran Undetected for 17 Months

“Incredibly, the malicious malware infected ShopRuger.com for a period of nearly 17 months, from September 18, 2020 through February 3, 2022.” Class Action Complaint, Paragraph 30

Admission #3: Ruger Chose Cheaper Security to Increase Its Own Profits

“Defendant enriched itself by saving the costs it reasonably should have expended on data security measures to secure Plaintiff’s and Class Members’ Private Information and instead directing those funds to its own profit. Instead of providing a reasonable level of security that would have prevented the hacking incident, Defendant instead calculated to increase its own profits at the expense of Plaintiff and Class Members by utilizing cheaper, ineffective security measures.” Class Action Complaint, Paragraph 141 — Unjust Enrichment Count

Admission #4: The Gun-Buyer Data Created a Direct Physical Safety Threat

“The aggregate information acquired by cybercriminals in this Data Breach is particularly concerning considering that Defendant’s customers were purchasing firearm accessories from ShopRuger.com. Criminals can now access their Private Information which includes the nature of their purchases and their shipping and billing addresses. With this information criminals can target the homes of firearm owners to steal firearms that they cannot obtain through legal channels.” Class Action Complaint, Paragraph 4

Admission #5: Stolen Data Stays Dangerous for Years, Possibly a Lifetime

“Law enforcement officials told us that in some cases, stolen data may be held for up to a year or more before being used to commit identity theft. Further, once stolen data have been sold or posted on the Web, fraudulent use of that information may continue for years. As a result, studies that attempt to measure the harm resulting from data breaches cannot necessarily rule out all future harm.” U.S. Government Accountability Office, cited in Class Action Complaint, Paragraphs 41 and 60

Your Data Had a Price Tag. You Got Nothing.

The complaint includes documented dark web pricing for the exact type of data stolen from ShopRuger.com customers. Personal information sells for $40 to $200 (enough to cover a week of groceries for a family of four). Bank and payment card details go for $50 to $200 (equivalent to a month of utility bills for many households). Experian research cited in the complaint places stolen credit or debit card numbers at $5 to $110 each on the dark web. At the low end of $5 per card across 167,936 victims, that is at minimum $839,680 (more than the average American worker earns in 20 years) in raw criminal market value generated from Ruger’s failure. At the high end of $110 per card, that figure reaches $18,472,960 (enough to pay off the student loans of roughly 370 average borrowers).

The data brokerage industry was worth roughly $200 billion (more than the annual GDP of most countries on Earth) in 2019, which means the information Ruger allowed to be stolen carries quantifiable real-world value that its customers will never recover. The complaint frames this directly as a property rights issue: the stolen data had a legitimate market value, that value was destroyed or diminished by its theft and exposure, and Ruger’s customers received zero compensation for the loss of their own property.

The “Cost of a Life” Metric: What Ruger Saved vs. What You Lost

Societal Impact Mapping

Public Health: The Anxiety Economy No One Compensates

The complaint explicitly documents psychological harm as a measurable injury. Mark Jones, the named plaintiff, is documented to have “suffered anxiety as a result of the release of his Private Information.” That anxiety is not a minor inconvenience; it is the documented, ongoing psychological cost of having your financial identity compromised and then being told about it two years after the fact. Jones describes concern about unauthorized parties “viewing, selling, and/or using his Private Information for purposes of identity crimes, fraud, and theft.” That vigilance state, where a person has to constantly monitor their own financial life for attacks that may come years from now, is a chronic stressor.

The complaint catalogs a staggering volume of labor that 167,936 ordinary people were forced to perform because of Ruger’s failure: finding fraudulent charges, canceling cards, getting new ones issued, resetting automatic billing, contacting banks, waiting on hold, disputing transactions, placing credit freezes, purchasing monitoring services, pulling credit reports, and making trips to physical bank branches. This is hours, days, and in some cases weeks of unpaid work forced onto working people whose time has real value. Ruger pocketed the money it should have spent on security, and then distributed the labor of dealing with the consequences directly to its customers.

Economic Inequality: The Poorest Customers Pay the Most

Identity theft and financial fraud operate as a regressive tax. People with thin financial cushions suffer disproportionately when fraudulent charges appear, accounts are frozen, or credit scores are damaged. The complaint documents that victims faced “loss of use of and access to their account funds,” “missed payments on bills and loans, late charges and fees, and adverse effects on their credit, including decreased credit scores and adverse credit notations.” For a working-class customer living paycheck to paycheck, a frozen account or a dropped credit score has cascading consequences that a wealthy customer never faces.

The complaint notes that customers were not just harmed by what was stolen; they were harmed by what Ruger charged them for in the first place. Because Ruger collected payment without disclosing that it lacked adequate security, customers paid for products with an implicit promise of data protection that Ruger never delivered. The lawsuit frames this as a benefit-of-the-bargain claim: every customer who purchased from ShopRuger.com during those 17 months paid for security they never received. That overpayment falls hardest on people who could least afford it.

The dark web economy that profits from breaches like this one feeds directly back into financial crimes targeting regular people. The complaint notes that full company breach datasets sell for $900 to $4,500 (enough to cover two to ten months of groceries for a family). Organized criminal networks purchase these datasets wholesale and deploy them systematically against people who have no idea they were compromised. Every fraudulent charge that clears before a victim catches it is a direct wealth transfer from working people to criminal enterprises, made possible by Ruger’s choice to cut corners on security.

What Now? Who to Pressure and How to Protect Yourself

Corporate Roles Responsible

Regulatory Watchlist

What You Can Do Right Now

If you ever bought anything on ShopRuger.com between September 2020 and February 2022: Pull your credit reports from all three bureaus at AnnualCreditReport.com, place a free credit freeze at Equifax, Experian, and TransUnion, and review every statement from that period for unauthorized charges. A credit freeze costs you nothing and prevents anyone from opening new accounts in your name.

Support the class action and stay informed: Cases like this only succeed when affected people participate. Watch ClassAction.org for updates on this case. If you received a notice letter from Ruger, you are likely already a class member. Reach out to the attorneys listed in the complaint at Scott+Scott Attorneys at Law.

Organize and share: Corporate data negligence is a systemic problem, not an individual one. Local mutual aid networks can help neighbors who lack the time or resources to navigate fraud disputes on their own. Share this investigation with anyone who shops at firearms retailers online. The only thing that changes corporate behavior on data security is the financial pain of accountability. Make it painful.