Rite Aid Data Breach Impacts 2.2 Million Customers

Rite Aid, the third-largest drug store chain in the United States, has reported a significant data breach affecting over 2.2 million customers. The compromised data includes names, addresses, birth dates, and driver’s license numbers, linked to purchases or attempted purchases made between June 6, 2017, and July 30, 2018. Notably, social security numbers, financial information, and patient data were not involved.

The breach was discovered on June 6, 2024, when an unknown third party impersonated a company employee to gain unauthorized access to Rite Aid’s business systems. The company identified and contained the breach within 12 hours, launching an internal investigation to mitigate the damage and secure affected systems.

RansomHub, a relatively new ransomware group that rebranded from a previous group known as Knight, has taken credit for the attack, claiming to have acquired over 10GB of customer data. This group has become prominent following a law enforcement operation that dismantled much of the infrastructure of a rival group, Lockbit. RansomHub stated it was in negotiations with Rite Aid officials before the company abruptly ceased communications. Rite Aid has not disclosed if multifactor authentication was in place for the compromised account.

Rite Aid, operating over 1,700 stores across 16 states, recently filed for bankruptcy, primarily to address lawsuits related to the opioid crisis. This breach adds to the company’s legal challenges, which include several lawsuits stemming from another data breach in May 2023 that exposed patient prescription data and insurance information for over 24,000 customers. Previous breaches were reported in 2015, 2017, and 2018.