Rite Aid logo

Rite Aid says 2.2 million people affected in data breach

The US’ third-largest pharmacy chain Rite Aid has filed a data breach notification in which it reports that the data stolen during a June ransomware attack compromised the data of some 2.2 million people.

Ransomware group RansomHub claimed responsibility for the attack that took place on June 6, 2024. Ransomware groups are always looking for ways to increase their leverage over their victims, and threatening to leak stolen customer data is one of their most common methods.

The site where RansomHub’s leaks stolen data features a ransom demand next to a typical countdown timer, demanding payment before the timer expires on July 26, after which the group has threatened to release the stolen data.

Rite Aid listing on RansomHub leak site
Rite Aid listing on RansomHub leak site

After the discovery of the breach on June 20, Rite Aid started an investigation. The restoration of the compromised systems has now reached completion, according to Rite Aid.  

Reportedly, the stolen data appears to be limited to purchases made between June 6, 2017, and July 30, 2018. Rite Aid says names, addresses, dates of birth, and the numbers associated with driver’s licenses or other ID documents were stolen.

RansomHub claims that:

​”While having access to the Riteaid network we obtained over 10 GB of customer information equating to around 45 million lines of people’s personal information. This information includes name, address, dl_id number, dob, riteaid rewards number.”

Rite Aid is offering affected customers a standard 12 months of credit monitoring from Kroll. Details on how to claim that offer can be found in the letter it’s sending customers.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

  • Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
  • Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
  • Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
  • Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
  • Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
  • Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
  • Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.