Rite Aid says 'limited' cyber incident affected data of 2.2 million people

A “limited” cyberattack on Rite Aid exposed the sensitive information of more than 2 million people, according to regulatory filings made this week. 

The drugstore chain filed documents with regulators in Maine, Massachusetts, Oregon, Vermont and other states on Monday explaining the ramifications of a cyberattack that took place last month. 

Last week, Rite Aid told Recorded Future News that it experienced a “limited cybersecurity incident” in June that affected some of the company’s systems. The company said it has restored its systems and is fully operational but planned to send “notices to impacted consumers.”

In the breach notification letters, Rite Aid said the attack began on June 6, when a hacker “impersonated a company employee to compromise their business credentials and gain access to certain business systems.” 

“We detected the incident within 12 hours and immediately launched an internal investigation to terminate the unauthorized access, remediate affected systems and ascertain if any customer data was impacted,” the company said. 

“We determined by June 17, 2024, that certain data associated with the purchase or attempted purchase of specific retail products was acquired by the unknown third party. This data included purchaser name, address, date of birth and driver’s license number or other form of government-issued ID presented at the time of a purchase between June 6, 2017, and July 30, 2018.”

Law enforcement was contacted and victims are being offered one year of identity protection services. In total, the number of people affected is 2,200,000. 

Rite Aid has  more than 1,700 stores across 16 states. It reported $5.7 billion in revenue last quarter but filed for bankruptcy in October due to federal lawsuits surrounding the opioid crisis. 

The company  is already facing lawsuits for a data breach in May 2023 that exposed the patient names, dates of birth, addresses, prescription data, prescriber information, and limited insurance data of more than 24,000 people. 

Rite Aid previously filed notifications about breaches with regulators in California in 2015, 2017 and 2018. 

The incident came to light last week after the RansomHub ransomware operation claimed to have attacked the company. In a dark web post the cybercriminals said they stole 10 gigabytes of data that includes customer information like ID numbers and Rite Aid rewards numbers.

The group threatened to leak stolen data if a ransom isn’t paid by a July 24 deadline. Rite Aid did not respond to requests for comment about whether it plans to pay the ransom.