The recent ransomware attack on Rite Aid affected a total of 2.2 million people, the company confirmed in a document filed with the Maine Attorney General’s Office.
The company also provided a copy of the breach notification letter it is sending to those affected, which states that the breach occurred on June 6 and was discovered 12 hours later.
During that time, the threat actors managed to “obtain certain data related to the purchase or attempted purchase of specific retail products,” including “the purchaser’s name, address, date of birth, and driver’s license number or other form of government-issued identification presented at the time of a purchase between June 6, 2017 and July 30, 2018.”
Sensitive data stolen
Following the breach, Rite Aid initially released a statement saying it had been the victim of a ransomware attack that had resulted in data theft. However, it did not say how many people were affected by the incident or what kind of information the attackers had stolen.
“Rite Aid experienced a limited cybersecurity incident in June and we are concluding our investigation,” it said at the time. “We take our obligation to protect personal information very seriously and this incident is a top priority.” “Working with our third-party cybersecurity partner experts, we have recovered our systems and are fully operational.”
Now, the regulatory filing confirms that more than two million individuals were affected, including more than 30,000 Maine residents. Rite Aid also confirmed that the attackers did not steal Social Security Numbers (SSNs), financial information or patient data.
The company said it is currently implementing “additional security measures” to ensure these attacks do not recur in the future, without explaining what those measures are. In addition, those affected will receive free credit monitoring, fraud consultation and identity theft recovery services through Kroll.
Through BleepingComputer