US drugstore chain Rite Aid has admitted that last month's "data security incident" compromised the data of 2.2 million individuals.

The admission came in the form of a "data breach notification" submitted to the Office of the Maine Attorney General on Monday, the day Rite Aid said it would start notifying the affected people. Such disclosures often surface on the Maine's AG page because of state-specific breach disclosure laws.

"We are writing to tell you about a data security incident that may have exposed some of your personal information," the letter to victims says. "We take the protection and proper use of your information very seriously. For this reason, we are contacting you directly to explain the circumstances of the incident."

The break-in is said to have taken place on June 6 and was detected within 12 hours, after which time an investigation into the damage began. Rite Aid said it became aware 11 days later that data associated with the purchase of "specific retail products" was stolen by the attackers.

Ironically, the pharmacy group didn't actually specify what these retail products were, nor did RansomHub - the group that claimed responsibility for the attack. The criminals claimed to have stolen 10 GB worth of data, though, equivalent to 45 million lines of personal information, or so they said.

As for what comprised that information, the drugstore biz said names, addresses, dates of birth, and the numbers associated with driver's licenses or other ID documents were stolen. That aligns with RansomHub's description of the data too, except the crims said Rite Aid rewards numbers were included too. No social security numbers, financial records, or patient information was implicated.

The stolen data appears to be limited to a relatively short timeframe - only purchases made between June 6, 2017, and July 30, 2018, were affected.

"We regret that this incident occurred and reported it to law enforcement, as well as federal and state regulators," the letter states. "We are also implementing additional security measures to prevent potentially similar attacks in the future. 

"We take our obligation to safeguard personal information very seriously and are alerting you about this issue in case you would like to take any additional steps to help protect yourself."

As is the case with major info theft in online attacks in the US, those who have had their data stolen were offered the standard 12 months of credit monitoring from Kroll. Details on how to claim that offer are included in the communications to customers.

Rite Aid is the latest high-profile scalp claimed by the crims behind the RansomHub operation, which also laid claim to attacks on auctioning giant Christie's and telco Frontier Communications earlier this year.

The relatively new gang on the block spun up in February 2024 and has risen to prominence in the ransomware scene following the recent downfalls of two major players - LockBit and ALPHV/BlackCat. 

RansomHub believed to be a rebrand of the Knight ransomware group, which itself was a rebrand of the Cyclops gang, and its affiliate program is populated by some of the most sophisticated groups in the world, including Las Vegas casino heisters Scattered Spider.

And if you were wondering whether Rite Aid will make a payment to the extortionists, we checked in with the company about that and will update this story if we hear anything. 

However, the crims said the negotiations broke down and the company still appears on their victim blog, so all signs suggest a payment hasn't been made yet, and may never be. ®

https://www.theregister.com//2024/07/16/rite_aid_says_22_million/