The breach, which included a year’s worth of customers’ data, exposed sensitive information such as names, addresses, dates of birth, and driver’s license numbers.
The compromised data also included other forms of government-issued identification presented all used at the time of purchase between June 6, 2017, and July 30, 2018.
No Social Security numbers, financial information, or patient information were impacted by the incident, the notice said.
“We are mailing letters to any potentially affected consumer who was associated with a mailing address in our systems,” the company said in a press release.
The breach was detected within 12 hours, the company said, prompting an immediate investigation to terminate the unauthorized access, remediate affected systems, and determine the extent of the data compromise. The incident was reported to law enforcement, as well as federal and state regulators.
By June 17, Rite Aid had determined that the unknown third party had acquired data associated with the purchase or attempted purchase of specific retail products.
“We regret that this incident occurred and are implementing additional security measures to prevent potentially similar attacks in the future,” the company said in the press release. “We take our obligation to safeguard personal information very seriously and are alerting affected consumers about this incident.”
Consumers with additional questions are encouraged to call a dedicated assistance line set up by the company toll-free at (866) 810-8094.
This assistance line will remain open until Oct. 15, the company said. Rite Aid also invited consumers who did not receive a notification letter but are concerned they may have been affected to contact the assistance line for further information.
AT&T said it had discovered the data breach in April, which involved an unauthorized download of data from a third-party cloud platform, and compromised records of calls and texts for nearly all AT&T cellular customers, as well as customers of mobile virtual network operators (MVNOs) using AT&T’s wireless network, and AT&T landline customers who interacted with those cellular numbers, the company said on July 12.
The affected period for that breach spanned from May 1, 2022, to October 31, 2022, with additional records from Jan. 2, 2023, for a small number of customers also being leaked. The compromised data includes telephone numbers involved in interactions and, for some records, cell site identification numbers.