Rite Aid says ‘limited’ cyber incident affected data of 2.2 million people

Avatar

A “limited” cyberattack on Rite Aid exposed the sensitive information of more than 2 million people, according to regulatory filings made this week. 

The drugstore chain filed documents with regulators in Maine, Massachusetts, Oregon, Vermont and other states on Monday explaining the ramifications of a cyberattack that took place last month. 

Last week, Rite Aid told Recorded Future News that it experienced a “limited cybersecurity incident” in June that affected some of the company’s systems. The company said it has restored its systems and is fully operational but planned to send “notices to impacted consumers.”

In the breach notification letters, Rite Aid said the attack began on June 6, when a hacker “impersonated a company employee to compromise their business credentials and gain access to certain business systems.” 

“We detected the incident within 12 hours and immediately launched an internal investigation to terminate the unauthorized access, remediate affected systems and ascertain if any customer data was impacted,” the company said. 

“We determined by June 17, 2024, that certain data associated with the purchase or attempted purchase of specific retail products was acquired by the unknown third party. This data included purchaser name, address, date of birth and driver’s license number or other form of government-issued ID presented at the time of a purchase between June 6, 2017, and July 30, 2018.”

Law enforcement was contacted and victims are being offered one year of identity protection services. In total, the number of people affected is 2,200,000. 

Rite Aid has  more than 1,700 stores across 16 states. It reported $5.7 billion in revenue last quarter but filed for bankruptcy in October due to federal lawsuits surrounding the opioid crisis. 

The company  is already facing lawsuits for a data breach in May 2023 that exposed the patient names, dates of birth, addresses, prescription data, prescriber information, and limited insurance data of more than 24,000 people. 

Rite Aid previously filed notifications about breaches with regulators in California in 2015, 2017 and 2018

The incident came to light last week after the RansomHub ransomware operation claimed to have attacked the company. In a dark web post the cybercriminals said they stole 10 gigabytes of data that includes customer information like ID numbers and Rite Aid rewards numbers.

The group threatened to leak stolen data if a ransom isn’t paid by a July 24 deadline. Rite Aid did not respond to requests for comment about whether it plans to pay the ransom.

CybercrimeNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

 

Total
0
Shares
Previous Post

Australia tells Russia to ‘back off’ after Kremlin criticizes espionage allegations

Next Post

AT&T ransom laundered through mixers, gambling services

Related Posts

Crypto Scam App Disguised as WalletConnect Steals $70K in Five-Month Campaign

Cybersecurity researchers have discovered a malicious Android app on the Google Play Store that enabled the threat actors behind it to steal approximately $70,000 in cryptocurrency from victims over a period of nearly five months. The dodgy app, identified by Check Point, masqueraded as the legitimate WalletConnect open-source protocol to trick unsuspecting users into downloading it. "Fake
Avatar
Read More

CISO Indonesia

[[{“value”:” December 3, 2024Location: Pullman Thamrin Jakarta, Indonesiawebsite: https://ciso-id.coriniumintelligence.com/ EC-Council is excited to be an Industry Partner for…
Avatar
Read More