The recent ransomware attack on Rite Aid affected 2.2 million people overall, the company has confirmed in a filing with the Office of the Maine Attorney General.
The company also provided a copy of the breach notification letter it is sending out to those affected, in which it noted the breach occurred on June 6, and was spotted 12 hours later.
In that time, the threat actors managed to grab “certain data associated with the purchase or attempted purchase of specific retail products,” including “purchaser name, address, date of birth and driver’s license number or other form of government-issued ID presented at the time of a purchase between June 6, 2017, and July 30, 2018.”
Sensitive data stolen
Following the breach, Rite Aid initially issued a statement, saying it suffered a ransomware attack which resulted in data theft, but did not say how many people were affected by the incident, nor what type of information the attackers stole.
“Rite Aid experienced a limited cybersecurity incident in June, and we are finalizing our investigation,” it said at the time. “We take our obligation to safeguard personal information very seriously, and this incident has been a top priority.” “Together with our third-party cybersecurity partner experts, we have restored our systems and are fully operational.”
Now, the filing with the regulators confirmed more than two million affected individuals, including more than 30,000 Maine residents. Rite Aid also confirmed that the attackers did not steal Social Security Numbers (SSN), financial information, or patient information.
The company said it is currently implementing “additional security measures” to make sure these attacks don’t repeat in the future, without explaining what those measures are. Additionally, the affected individuals are getting free credit monitoring, fraud consultation, and identity theft restoration services through Kroll.
Via BleepingComputer
More from TechRadar Pro
Services Marketplace – Listings, Bookings & Reviews