In June 2024, Rite Aid, a US-based chain of pharmacy stores, experienced a cyberattack. The attack affected the company’s information systems and resulted in the leakage of customer and employee data. Threat actor known as RansomHub claims the attack and shares some details regarding the information that they’ve managed to steal.
Rite Aid Breach Exposes Sensitive Customer Details
In July 2024, one of the largest pharmacy chains in the United States, Rite Aid, disclosed a data breach. According to Rite Aid representatives, this “limited” cyberattack resulted in an unnamed threat actor gaining access to “certain business systems”. In less abstract terms, the attack affected 2.2 million customers. It compromised personal information, including names, addresses, dates of birth, and driver’s license numbers.
Although the company did not name the perpetrators, a group called RansomHub claimed responsibility. They stated they had stolen more than 10 GB of data, equating to about 45 million lines of personal information—far more than Rite Aid reported. RansomHub is believed to be based in Russia or a country friendly to Russia and operates on the principle of ransomware-as-a-service (RaaS). They avoid attacking CIS countries, Cuba, North Korea, and China, hinting at their origin.
Details of the Breach
According to Rite Aid, on June 6, an attacker pretended to be a company employee and used stolen credentials to access certain business systems. The incident was discovered within 12 hours, and an internal investigation was immediately launched. However, this was enough time for the data to be leaked. RansomHub stated on its Darknet site that it was in advanced negotiations with Rite Aid officials. However, at some point, the company stopped responding. While Rite Aid did not provide technical details of the attack, such as whether two-factor authentication was in place on the compromised account, information about the stolen data has been disclosed.
The attackers stole data related to purchases and attempted purchases of retail products between June 6, 2017, and July 30, 2018. This data included driver’s license numbers and other possible forms of government identification presented by shoppers during that period. However, Rite Aid claims that threat actors did not steal Social Security numbers, financial information, or patient data. Among the 2.2 million victims, 30,137 were Maine residents. Notably, this is not the first data breach incident involving Rite Aid.
Are Customers at Risk?
Breaches of any organization or company that is involved in healthcare is always a serious privacy threat. Even though some “classic” sensitive data (SSN and financials) was not leaked from Rite Aid, all other things are more than enough for data and identity theft. Moreover, as RansomHub claims having more data than what officials say, there is a possibility of other categories leaking to the public.
The worst case scenario here is, obviously, leaked info about prescriptions and medical conditions of the clients. This is just a dream of any con actor who performs targeted blackmailing or gathers data for further attacks. Having comprehensive information on an individual allows for impersonation attacks. The adversary gains trust by naming facts that are unlikely to be known to a stranger.
In any case, customers of Rite Aid should pay additional attention to any phony activity that happens around them. Strange calls, emails, or text messages containing data officially disclosed as leaked in the breach report should be considered red flags. Such communications should be treated with additional caution.