Cyber Incident Victim: Sam's Club

On June 6, 2024, Rite Aid Corporation detected unauthorized access to its business systems after an unknown third party impersonated a company employee to compromise legitimate business credentials. The organization identified the intrusion within 12 hours of its occurrence and initiated an immediate investigation to terminate the unauthorized access and remediate affected systems. Rite Aid engaged with law enforcement and notified federal and state regulators about the breach. Forensic analysis determined by June 17, 2024, that the attacker acquired data specifically tied to retail product purchases or attempted purchases occurring between June 6, 2017, and July 30, 2018. The compromised information included purchaser names, physical addresses, dates of birth, and driver’s license numbers or other government-issued identification presented during transactions at Rite Aid stores during that timeframe.

The investigation confirmed no exposure of social security numbers, financial account details, or patient health information. Rite Aid began mailing notification letters to potentially affected consumers associated with mailing addresses in its systems, prioritizing individuals whose government-issued ID data was compromised. The company established a dedicated toll-free assistance line operational until October 15, 2024, to field inquiries from concerned consumers and verify individual impact status. Rite Aid implemented additional security measures to prevent similar credential-based attacks but did not disclose technical specifics regarding system remediation or attacker attribution beyond confirming the impersonation vector. The incident impacted only historical purchase records from a defined 13-month period seven years prior to the breach detection, with no evidence of ongoing unauthorized access after containment efforts concluded on June 6, 2024.