RansomHub has taken credit for the breach Rite Aid recently disclosed.
What happened
Rite Aid Corporation announced on July 15th that the pharmacy chain had suffered a data breach. According to a news release, the breach took place on June 6th, 2024, when an individual impersonated a company employee to access some of Rite Aid’s systems.
In Rite Aid’s filing with Attorney Generals in Maine and other states, the company said that approximately 2.2 million individuals were impacted. The notice stated that “certain data associated with the purchase or attempted purchase of specific retail products was acquired by the unknown third party.” Data included names, addresses, dates of birth, driver’s license numbers, or other government-issued IDs. Individuals were only impacted if they had attempted or made a purchase at Rite Aid between June 6th and July 7th. The letter stressed that no Social Security numbers, financial information, or patient information were disclosed.
Following the breach, Rite Aid said they reported the incident law enforcement, as well as federal and stage regulators. The company is providing free identity monitoring to impacted individuals.
Going deeper
The notice comes after RansomHub took credit for the attack, claiming to have 10 GB of data from the pharmacy chain. RansomHub stated they successfully compromised Rite Aid customers’ ID numbers and reward numbers.
RansomHub has become a major cybersecurity gang, rising in prominence after they took credit, alongside the gang BlackCat, for the Change data breach. The Change breach impacted nearly one-third of Americans, and caused policy makers and healthcare workers to rethink current security standards.
While RansomHub is known for demanding ransoms from victims, so far, neither Rite Aid nor RansomHub have publicly mentioned a ransom in exchange for the data. Usually, gangs like RansomHub will threaten to expose or sell data to criminals if a ransom is not paid.
Why it matters
Data breaches can have a large impact on a companies reputation and can result in harsh penalties. When an organization faces a large data breach, it can also result in an overhaul of current policies and procedures.
Rite Aid said they plan to take additional measures, stating, “We are also implementing additional security measures to prevent potentially similar attacks in the future.”
Impersonating an employee is a fairly common way for malicious actors to infiltrate networks; doing so can allow the actor to gain privileges until they are able to exfiltrate data.
The big picture
While data breaches like these are becoming more common, they are avoidable. Companies must ensure they have strict security measures in place, including verifying employee identity through strong passwords and multi-factor authentication.
In breaches like these, class action suites are a common result. In time, we will likely know if data has been misused and if any law firms decide to take further action.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
