Rite Aid, a major drug store chain in the US, disclosed that a data breach has affected over 2.2 million customers, resulting in the theft of personal information such as driver’s license numbers, addresses, and birth dates. The incident occurred between June 6, 2017, and July 30, 2018, during purchases or attempted purchases of retail products.
The stolen data included the names, addresses, birth dates, and driver’s license numbers of customers. Fortunately, social security numbers, financial information, and patient data were not compromised in this breach. The breach was discovered on June 6, 2024, when an unknown third party gained unauthorized access to the company’s systems by impersonating an employee.
RansomHub, a ransomware group, has claimed responsibility for the attack and stated that they obtained over 10GB of customer data. RansomHub emerged this year after rebranding from a group known as Knight, becoming a significant threat in the ransomware landscape. The group indicated that negotiations with Rite Aid were ongoing until the company ceased communication abruptly.
Rite Aid has not revealed whether the compromised employee account had multifactor authentication enabled. The company, which operates over 1,700 stores across 16 states, reported sales of $5.7 billion in its recent fiscal quarter. Rite Aid filed for bankruptcy in October, primarily to protect itself from lawsuits related to the opioid crisis.
This is not the first time Rite Aid has faced data breaches. In 2023, the chain experienced a separate breach exposing sensitive information of more than 24,000 customers. Previous breaches were reported in 2015, 2017, and 2018, highlighting ongoing security challenges for the company. Rite Aid has not yet responded to inquiries regarding the recent breach or the security measures in place to protect customer data.