Rite Aid data breach: 2.2M customers impacted

Key points

• 2.2M customers affected, exposing personal info.
• Breach found June 6, responded within 12 hours.
• Names, addresses, DOBs, and IDs from 2017-2018.
• Ransomware group RansomHub claims responsibility.
• Hackers impersonated Rite Aid staff, using social engineering tactics.

How did the breach occur?

The attack began when hackers successfully impersonated a Rite Aid employee, compromising their credentials to gain unauthorized access to the company’s business systems. The cybercriminals used these stolen credentials to log into Rite Aid’s network, bypassing initial security measures.

Once inside, they were able to access and exfiltrate sensitive customer data from a specific timeframe.

The ransomware group RansomHub has claimed responsibility for the attack, threatening to leak the stolen data unless a ransom is paid.

These sophisticated breach tactics mirror those employed in the recent Snowflake supply chain attacks, which affected major companies including Ticketmaster, Santander Bank, and multiple-breach victim AT&T, who also suffered a major breach exposing 73m customer records earlier this year.

What is an impersonation attack?

An impersonation attack occurs when a malicious actor poses as a trusted person or entity to deceive employees and gain unauthorized access to sensitive information, systems, or funds. The process typically involves:

• Target selection: Identifying an employee with access to valuable resources.
• Research: Gathering information about the target and the person to be impersonated.
• Impersonation: Creating convincing credentials (e.g., email account) of the impersonated identity.
• First contact: Reaching out to the target with a plausible reason for communication.
• Request: Asking the target to perform an action, such as sharing login credentials or transferring money.

These attacks often rely on social engineering tactics, exploiting human psychology to manipulate victims. Common methods include phishing emails, phone calls (vishing), text messages (smishing), and the use of fake websites (cousin domains). Attackers may also employ more sophisticated techniques like man-in-the-middle attacks or account takeovers.

What data was stolen?

Compromised customer information includes:

• Names
• Addresses
• Dates of birth
• Driver’s license numbers or other government-issued ID numbers

Rite Aid has stated that no Social Security numbers, financial information, or patient data were impacted. The affected data is associated with purchases or attempted purchases made between June 6, 2017, and July 30, 2018.

What now?

Rite Aid detected the unauthorized access within 12 hours and immediately took steps to terminate it. The company has engaged third-party cybersecurity experts to assist with the investigation and system restoration and has reported the incident to relevant authorities.

As a precautionary measure, Rite Aid is offering 12 months of free credit monitoring and identity protection services to affected individuals.

Rite Aid data breach: what’s the impact?

The full impact of the breach is still unfolding. However, cybersecurity experts warn that the stolen data could be sold on the dark web, potentially leading to identity theft or financial fraud. The incident will likely also have reputational consequences for Rite Aid, which is already navigating a complex bankruptcy restructuring process.

Increased scam risks for AP teams

The theft of customer data in breaches like this one poses significant downstream risks, particularly for accounts payable (AP) teams. Here’s how:

1. Enhanced phishing attempts: Armed with accurate customer information, scammers can craft highly convincing phishing emails. These may impersonate Rite Aid, its partners, or even affected customers, potentially tricking AP staff into approving fraudulent transactions or revealing sensitive financial information.
2. Business email compromise (BEC) scams: Cybercriminals can use the stolen data to create more believable impersonation attacks. They might pose as vendors, executives, or other trusted parties to request urgent wire transfers or changes to payment details.
3. Identity theft and fraud: With access to personal information, scammers can potentially create fake identities or impersonate real individuals. This could lead to the creation of fraudulent vendor accounts or attempts to manipulate existing financial relationships.
4. Social engineering: Detailed personal information allows scammers to build rapport more easily, making their attempts to manipulate AP staff more convincing and potentially successful.
5. Supply chain attacks: If vendor information was compromised, attackers could use this to infiltrate supply chains, potentially leading to fraudulent invoices or compromised vendor payments.

Finance leaders should ensure AP teams are equipped in two areas:

• Scam awareness training: Staff should be kept up-to-date with the latest data breaches / scams so they are on alert in the aftermath. Regular awareness training also helps them identify warning signs and the latest scam tactics.
• Bulletproof financial controls: Even with a highly-trained team, human error is unavoidable. You need strong financial controls to ensure strict anti-fraud processes and procedures are in place. Automating critical controls like segregation of duties reduces room for human error.