Rite Aid Says Breach Exposes Sensitive Details of 2.2 Million Customers (arstechnica.com) 9
Rite Aid, the third-largest U.S. drug store chain, reported it a ransomware attack that compromised the personal data of 2.2 million customers. The data exposed includes names, addresses, dates of birth, and driver's license numbers or other forms of government-issued ID from transactions between June 2017 and July 2018.
"On June 6, 2024, an unknown third party impersonated a company employee to compromise their business credentials and gain access to certain business systems," the company said in a filing. "We detected the incident within 12 hours and immediately launched an internal investigation to terminate the unauthorized access, remediate affected systems and ascertain if any customer data was impacted." Ars Technica's Dan Goodin reports: RansomHub, the name of a relatively new ransomware group, has taken credit for the attack, which it said yielded more than 10GB of customer data. RansomHub emerged earlier this year as a rebranded version of a group known as Knight. According to security firm Check Point, RansomHub became the most prevalent ransomware group following an international operation by law enforcement in May that took down much of the infrastructure used by rival ransomware group Lockbit.
On its dark web site, RansomHub said it was in advanced stages of negotiation with Rite Aid officials when the company suddenly cut off communications. A Rite Aid official didn't respond to questions sent by email. Rite Aid has also declined to say if the employee account compromised in the breach was protected by multifactor authentication.
"On June 6, 2024, an unknown third party impersonated a company employee to compromise their business credentials and gain access to certain business systems," the company said in a filing. "We detected the incident within 12 hours and immediately launched an internal investigation to terminate the unauthorized access, remediate affected systems and ascertain if any customer data was impacted." Ars Technica's Dan Goodin reports: RansomHub, the name of a relatively new ransomware group, has taken credit for the attack, which it said yielded more than 10GB of customer data. RansomHub emerged earlier this year as a rebranded version of a group known as Knight. According to security firm Check Point, RansomHub became the most prevalent ransomware group following an international operation by law enforcement in May that took down much of the infrastructure used by rival ransomware group Lockbit.
On its dark web site, RansomHub said it was in advanced stages of negotiation with Rite Aid officials when the company suddenly cut off communications. A Rite Aid official didn't respond to questions sent by email. Rite Aid has also declined to say if the employee account compromised in the breach was protected by multifactor authentication.
law needs changing to not 'actual damages found' (Score:4, Insightful)
The current law for data breaches is that individual consumers cannot sue the company unless there are direct and 'actual damages' directly tied to the breach.
There needs to be a way for individual customers to get paid, get insurance, get an annuity, etc. from these data breaches without proving 'actual damages' from the breach.
If an insurance company 'loses' my drivers license number, birth date, tax ID number, etc. and a year later another insurance company loses the same information, which one (likely none) will be able to be sued if some criminal gets a credit card in my name and charges $10,000?
Both will claim that the other one caused my loss.....
Suggest:
1. Data breach company pays into a lifetime insurance for me and future data beaches contribute to that insurance
2. Data breach company pays me $100 or more per breach (no lawyer fees taken out)
3. Data breach company pays $250 to an insurance company which puts it into an annuity which can be taken out as a stream of payments at age 65
The current system lets companies take data breaches as a cost of business and let their general liability insurer pay for it.
Fair Enough (Score:5, Insightful)
Just a couple of preliminary questions:
How many IT layoffs have you had in the last year?
How many qualified engineers over the age of 40 have you passed up hiring in the same interval?
How many IT employees have you promoted in the last year? How many raises have you offered those same employees without being asked?
How are all those layoffs working out for you?
Re: (Score:2)
Wow...
No points or I'd mod you up. You not only summed up the breach, the tech labor market, and corporate America in general.
Well done.
Re: (Score:2)
+1 Figures that I'm out of mod points.
Re: (Score:2)
And then not pay the severance they are contractually obligated to:
https://www.abc27.com/local-ne... [abc27.com]
Oh shut up (Score:4, Insightful)
The only worthless employee is their shitburg CEO who took out loans to buy half the competing pharmacies in the country and then tried to make it work by running them all on skeleton crews with the manager running out of the back room every 5 minutes to take a register.
and it didnt work... and they closed a bunch of pharmacies... and now a lot of neighborhoods have no pharmacy,
Rite aid is not some woke brand, see for yourself, they have decorative photos in every store. a woman eating an apple even though they dont sell apples, an old couple, theyre the same across america but anyhow most of the models are white and those promo photos are the first thing I'd change to do some performative wokeness.