Cyber Incident Victim: Rite Aid
Date:
Jun 2024
Location:
United States of America
Summary
A security breach occurred when an unauthorized third party impersonated an employee to compromise business credentials and access systems, prompting immediate detection and investigation to terminate the intrusion. The compromised data included purchaser names, addresses, dates of birth, and government-issued identification details linked to specific retail transactions during a historical period, though no social security numbers, financial data, or patient information was affected. The organization notified potentially impacted individuals, implemented additional security measures, and reported the incident to authorities while offering a dedicated assistance line for inquiries.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 6, 2024, Rite Aid Corporation detected unauthorized access to its business systems after an unknown third party impersonated a company employee to compromise legitimate business credentials. The organization identified the intrusion within 12 hours of its occurrence and immediately initiated an investigation to terminate the unauthorized access and remediate affected systems. Concurrently, Rite Aid engaged law enforcement and notified federal and state regulators about the incident. The investigation sought to determine whether customer data had been accessed or exfiltrated during the breach. By June 17, 2024, forensic analysis confirmed that the threat actor had acquired specific consumer data related to retail product purchases or attempted purchases occurring between June 6, 2017, and July 30, 2018. The compromised information included purchaser names, physical addresses, dates of birth, and either driver’s license numbers or other government-issued identification presented at the point of sale during the specified timeframe. No evidence indicated that social security numbers, financial account details, or patient health information were accessed or exposed.
Rite Aid began mailing notification letters to potentially affected consumers associated with mailing addresses in its systems following the confirmation of data exposure. The company established a dedicated toll-free assistance line operational until October 15, 2024, to address consumer inquiries and verify individual impact status. Internal remediation efforts focused on implementing additional security measures designed to prevent similar credential compromise and system access incidents in the future. Rite Aid emphasized its commitment to safeguarding personal information but did not disclose technical specifics regarding the compromised business systems, attacker methodologies beyond credential impersonation, or the total number of affected individuals. The organization confirmed the incident’s containment within the initial response phase and maintained no further unauthorized activity beyond the June 6, 2024, detection timeframe.