Business & MarketsCompanies

Rite Aid Reveals June Data Breach Affected 2.2 Million People

The hacking group has given the company time until July 26 to pay a ransom.
Save
Rite Aid Reveals June Data Breach Affected 2.2 Million People
A Rite Aid in Costa Mesa, Calif., on Oct. 18, 2023. (John Fredricks/The Epoch Times)
Naveen Athrappully
Updated:
0:00

A computer hacking incident in June aimed at drugstore chain Rite Aid has affected more than 2 million customers, the company announced Monday, adding that it has begun notifying customers.

The data breach occurred on June 6 when an “unknown third party impersonated a company employee to compromise their business credentials and gain access to certain business systems,” Rite Aid said in a July 15 press release.
The company revealed in a data breach notification filed with the Maine Attorney General’s office that 2.2 million customers were affected. Compromised data included information “associated with the purchase or attempted purchase of specific retail products,” the firm said in a letter to customers.

“This data included purchaser name, address, date of birth, and driver’s license number or other form of government-issued ID presented at the time of a purchase between June 6, 2017, and July 30, 2018. To confirm, no Social Security numbers, financial information, or patient information was impacted by the incident.”

Rite Aid is offering affected customers 12 months of identity monitoring services from risk mitigation and response firm Kroll. These services will include credit monitoring, identity theft restoration, and fraud consultation.

Individuals affected by the breach can contact the firm at 1 (866) 810-8094 for more information.

Related Stories
Half of Australia’s Population Exposed After Major Data Hack
7/18/2024
Half of Australia’s Population Exposed After Major Data Hack
A Year’s Worth of Customer Data Was Obtained in Rite Aid Security Breach
7/15/2024
A Year’s Worth of Customer Data Was Obtained in Rite Aid Security Breach
Rite Aid has been listed as a victim by the RansomHub ransomware group, according to cybersecurity firm HackManac.

The hackers gained access to 10 gigabytes of data, including 45 million lines of personal information, HackManac said in a July 12 X post. The group has set a deadline of July 26 for the ransom payment.

RansomHub claims they negotiated with Rite Aid regarding the payment but the company stopped communications, according to a screenshot posted by HackManac.

Cybersecurity company SOC Radar suggests RansomHub “likely” has roots in Russia. RansomHub refrains from targeting China, North Korea, Cuba, and the Commonwealth of Independent States, a group of 11 nations from the former USSR, SOC noted.

“While they suggest a global hacker community, their operations notably resemble a traditional Russian ransomware setup. Their stance on Russian-affiliated nations and the overlap in targeted companies with other Russian ransomware groups are also worth noting,” it said in a report.

The hacking operation began in February. The group’s first victim was YKP LTDA, a financial consulting company from Brazil, according to a May 9 report from cybersecurity firm Forescout.
RansomHub victimized 45 entities between February and April this year, Forescout said. It is unclear whether all the entities are businesses. The United States was home to 13 victims followed by Brazil with six victims, and the United Kingdom, Spain, and Italy with three victims each.

Legal Action

The Rite Aid data breach has triggered class action lawsuits, including from law firms Lynch Carpenter LLC and Console & Associates.
In a guide for victims of a data breach, Console & Associates wrote that some consumers may mistakenly believe they waive their legal rights to sue the company if they accept the complimentary credit monitoring services offered by the firm, such as the Kroll service provided by Rite Aid.

However, such a concern is “unfounded,” the law firm said in the guide.

“People who are affected by a data breach can and often do (and certainly should) protect themselves in all possible ways,” the firm said. “In many cases, these ways include taking advantage of the credit monitoring services provided by the company as well as participating in any applicable class action lawsuits against the company for failing to adequately protect the data in its possession.”

The data breach comes as Rite Aid is currently undergoing bankruptcy proceedings. The company filed for Chapter 11 bankruptcy in July after the retail chain was weighed down by mounting debt and slowing sales.

At the time, the firm received $3.45 billion in new financing from its lenders, which was expected to “provide sufficient liquidity to support the Company throughout this process.”

Rite Aid, which operates about 1,700 retail pharmacy stores in 16 states, has been shuttering dozens of stores over the past months.

The Epoch Times contacted Rite Aid for comment.