Drugstore chain Rite Aid disclosed that an unnamed threat actor was able to gain access to “certain business systems” and compromise the names, addresses, dates of birth and driver’s license numbers for 2.2 million customers.
The attack started on June 6, according to the U.S.-based company on Monday, when a threat actor impersonated a company employee in order to compromise the employee's business credentials.
When asked via email, Rite Aid did not specify exactly how the employee’s credentials were compromised or whether multi-factor authentication was enabled. A spokesperson instead provided the following statement: “Rite Aid experienced a limited cybersecurity incident in June, and we are finalizing our investigation. We take our obligation to safeguard personal information very seriously, and this incident has been a top priority. Together with our third-party cybersecurity partner experts, we have restored our systems and are fully operational.”
According to a data breach notification submitted Monday to the Office of the Attorney General in Maine, 2.2 million individuals were impacted by the breach (including 30,137 Maine residents). Law enforcement agencies, as well as federal and state regulators, have been looped in, said the company.
The threat actor was able to acquire certain data linked to the purchase or attempted purchase of retail products at the time of purchase between June 6, 2017 and July 30, 2018. The customer data involved driver’s license numbers and other potential forms of government issued IDs presented during this purchase timeframe, opening up the potential for fraud-based attacks. However, social security numbers, financial information and patient information were not impacted in the incident, said Rite Aid.
The company said on its website that it detected the incident within 12 hours, and has since terminated the unauthorized access, remediated impacted systems and determined the level of impacted customer data.
Further details of the attack come after Rite Aid first confirmed the incident last week, on the heels of unsubstantiated claims by the RansomHub ransomware group that they had targeted the drugstore chain.
Rite Aid has dealt with a number of previous breaches, including one in May 2023 that impacted the personal identifiable information and sensitive health data - including insurance information and medication names - of 24,000 former and current customers. That breach stemmed from a vulnerability being exploited by an unknown third party, which was able to access specific files.