Rite Aid, the drugstore chain, recently announced that a computer hacking incident in June has affected over 2 million of its customers. The breach occurred on June 6 when an unknown third party impersonated a company employee, gaining access to certain business systems. The compromised data included customer information associated with retail product purchases made between June 6, 2017, and July 30, 2018. This information included the purchaser’s name, address, date of birth, and driver’s license number or other government-issued ID. However, Rite Aid assured customers that no social security numbers, financial information, or patient records were impacted by the breach.
To address the situation, Rite Aid is offering affected customers 12 months of identity monitoring services through risk mitigation and response firm Kroll. These services include credit monitoring, identity theft restoration, and fraud consultation. Customers affected by the breach can contact Rite Aid at 1 (866) 810-8094 for more information.
The hacking group responsible for the breach has been identified as RansomHub by cybersecurity firm HackManac. The group gained access to 10 gigabytes of data, including 45 million lines of personal information. They have set a deadline of July 26 for a ransom payment from Rite Aid. According to a screenshot posted by HackManac, RansomHub claims to have negotiated with Rite Aid regarding the payment, but the company stopped communications.
Cybersecurity company SOC Radar suggests that RansomHub likely has roots in Russia. They note that the group refrains from targeting China, North Korea, Cuba, and the Commonwealth of Independent States, a group of former USSR nations. SOC Radar’s report highlights the similarities between RansomHub’s operations and traditional Russian ransomware setups, as well as the overlap in targeted companies with other Russian ransomware groups.
The Rite Aid data breach has already triggered class action lawsuits, including those from law firms Lynch Carpenter LLC and Console & Associates. Console & Associates wrote in a guide for data breach victims that accepting complimentary credit monitoring services offered by the company does not waive their legal rights to sue. The law firm emphasizes that affected individuals have the right to protect themselves in all possible ways, including participating in any applicable class action lawsuits against Rite Aid for its failure to adequately protect customer data.
This data breach comes at a challenging time for Rite Aid, as the company is currently undergoing bankruptcy proceedings. The retail chain filed for Chapter 11 bankruptcy in July due to mounting debt and slowing sales. To support itself during this process, Rite Aid received $3.45 billion in new financing from its lenders. The company has also been closing numerous stores over the past months.
In conclusion, Rite Aid has experienced a significant data breach affecting millions of customers. While the compromised information does not include sensitive details like social security numbers or financial information, it is still crucial for affected individuals to take appropriate measures to protect themselves from potential identity theft. Rite Aid is providing identity monitoring services, and affected customers should consider participating in any class action lawsuits against the company if they feel their data was not adequately protected.
