HQ/EMEAFind out how we can help your business
Rite Aid, one of the largest pharmacy companies in the US, admitted that the June data breach on its system had impacted about 2.2 million customers’ personal information. According to reports, the attackers successfully stole data last month, which the affected company called a data security incident.
This pharmaceutical company employs more than 6,000 pharmacists and has a total workforce of about 45,000. It also has 1,700 retail locations in 16 states in the US, meaning the campaign could inflict severe damage.
Rite Aid revealed that the threat actors used one of their employees’ credentials to acquire access to their network.
Rite Aid stated in its data breach notification letters that it discovered the incident last month, almost half a day after the attackers breached its network using an employee’s credentials.
In addition, the company concluded its initial investigation by June 17, 2024, revealing that an unauthorised individual had acquired some data related to purchasing or attempting to purchase particular retail products.
The confirmed information stolen during the incident includes the purchaser’s name, address, date of birth, driver’s license number or other government-issued ID presented between June 2017 and July 2018.
Still, Rite Aid assured everyone that no clients’ Social Security numbers, financial details, or health information were exposed because of the data breach.
On the other hand, the RansomHub ransomware gang claimed responsibility for the cyberattack and revealed that they had stolen consumer data from Rite Aid despite the company not yet revealing who was behind the June attack.
The ransomware group claimed that while accessing the company’s network, they collected about 10 GB of client information, which equates to over 45 million lines of personal information. According to RansomHub’s dark web leak site, the stolen information includes name, address, dl_id number, dates of birth, and rewards number.
Furthermore, the group added the pharmaceutical company to its data leak site after the company allegedly stopped paying or negotiating. This action prompted the ransomware group to post a screenshot of the purported stolen data as proof, claiming that it would leak the rest in two weeks.
Rite Aid has yet to address these allegations, which could be a wrong move for the company as the threat actors could announce the data leak anytime soon.
