Millions of Rite Aid Customers’ Information Stolen in Hack: What We Know

Roughly 2 million Rite Aid customers saw their information stolen in a hack, the company announced this week.

RansomHub, the ransomware gang claiming responsibility for the hack, estimated that 45 million customers were affected, but Rite Aid told PC Mag that the actual number was far lower. The drugstore company said the data breach, which happened on June 6, concerned customer information from 2017 and 2018.

During the breach, a hacker pretended to be a company employee with their login credentials and stole data involving “certain data associated with the purchase or attempted purchase of specific retail products,” according to Rite Aid.

Rite Aid became aware of the hack 12 hours later and said valuable information was lost in the attack.

“This data included purchaser name, address, date of birth and driver’s license number or other form of government-issued ID presented at the time of a purchase,” the company said.

Data was only stolen from customers between June 6, 2017, and July 30, 2018. Customers outside of that time would not be affected.

“Most likely, the stolen data will be sold on the dark web in bulk to the highest bidder,” Andrew Newman, cybersecurity firm ReasonLabs founder and CTO, told Newsweek. “Users should be on the lookout for newly developing scams and frauds as this data, in combination with other stolen data points on a user, can often be used to commit financial fraud or identity theft.”

Rite Aid told Newsweek: “Rite Aid experienced a limited cybersecurity incident in June, and we are finalizing our investigation. We take our obligation to safeguard personal information very seriously, and this incident has been a top priority. Together with our third-party cybersecurity partner experts, we have restored our systems and are fully operational. We are sending notices to impacted consumers.”

No Social Security numbers or financial or health care data was stolen, the company said.

RansomHub said it would give Rite Aid 10 days to pay or leak the stolen data.

“From this it is obvious that the Riteaid leadership don’t value the safety of its customers sensitive details,” RansomHub said, as reported by PC Mag.

Rite Aid opened a toll-free line at (866) 810-8094 to answer questions from concerned customers. The line will be available from 8 a.m. to 5:30 p.m. Central Time until October 15.

While information like Social Security numbers was not disclosed, the data would still be an issue depending on what retail data was lost.

“This could obviously be a problem for many consumers since the actual products purchased were disclosed,” Collin Walke, a cybersecurity and data privacy partner at national law firm Hall Estill, told Newsweek. “This means that customers’ potentially sensitive medical information is now potentially out there for purchase and pilfer.”

The company said it would be mailing letters to customers who were likely affected.

“We regret that this incident occurred and are implementing additional security measures to prevent potentially similar attacks in the future,” Rite Aid said in a statement. “We also reported the incident to law enforcement, as well as federal and state regulators.”

Rite Aid had faced financial troubles previous to the data breach and filed for bankruptcy in October.

Today, the drugstore giant operates roughly 1,700 locations and employs more than 50,000 workers.

Last week, AT&T also reported a widespread hack that put the majority of its wireless customers at risk. In that data breach, hackers stole information, including records of customer calls and texts from May 1 to October 31, 2022, as well as records from January 2, 2023.

“Any company that becomes involved in a data breach, ransomware attack, or other breach is often in for a long fight of trying to recoup lost IP, money, consumer trust, and other valuables,” Newman said.