Rite Aid, the third-largest drugstore chain in the U.S., reported that more than 2.2 million customers were affected by a data breach that exposed personal information including driver's license numbers, addresses and dates of birth.
The company said in mandatory filings with attorneys general in states including Maine, Massachusetts, Vermont and Oregon that the stolen data related to purchases or attempted purchases of retail products between June 6, 2017, and July 30, 2018. The data provided included the buyer’s name, address, date of birth and driver’s license number or other form of government ID. No Social Security numbers, financial information or patient data were included.
“On June 6, 2024, an unknown third party impersonated a company employee to compromise his corporate credentials and gain access to certain corporate systems,” the filing said. “We discovered the incident within 12 hours and immediately initiated an internal investigation to stop the unauthorized access, remediate the affected systems, and determine if any customer data was compromised.”
RansomHub, the name of a relatively new ransomware group, has claimed responsibility for the attack, which it says yielded more than 10GB of customer data. RansomHub emerged earlier this year as a new iteration of a group known as Knight. According to security firm Check Point, RansomHub became the most prevalent ransomware group after an international law enforcement operation in May took down much of the infrastructure of rival ransomware group Lockbit.
On its dark web site, RansomHub said it was in advanced stages of negotiations with Rite Aid officials when the company suddenly cut off communication. A Rite Aid official did not respond to emailed questions. Rite Aid also declined to say whether the employee account compromised in the breach was protected by multifactor authentication.
Rite Aid operates more than 1,700 stores in 16 states. It posted $5.7 billion in sales in its most recent fiscal quarter, which ended June 3. The chain filed for bankruptcy in October, largely to protect itself from lawsuits over the opioid crisis. Rite Aid is a defendant in multiple lawsuits stemming from a separate data breach in May 2023. The earlier breach exposed patient names, dates of birth, addresses, prescription records and insurance information for more than 24,000 customers. Rite Aid previously reported breaches in 2015, 2017 and 2018.