Rite Aid has agreed to a $6.8 million settlement to resolve class action claims stemming from a significant cyberattack that compromised the sensitive information of over 2 million customers. The breach, which occurred in June 2024, exposed personal data such as names, addresses, birth dates, and government-issued IDs of individuals who made purchases between June 2017 and July 2018. The settlement, which has been preliminarily approved by U.S. District Judge Harvey Bartle III, offers affected individuals up to $10,000 for verified losses. This decision aims to resolve the claims of negligence raised by customers who were impacted by the breach.
The lawsuit accused Rite Aid of negligence in its handling of customer data and of failing to promptly notify affected individuals about the breach.
Customers criticized the company for its delayed response, which took over a month to issue a formal notification after the breach was detected. Additionally, plaintiffs pointed out that the breach notification lacked critical information, such as whether the hackers had been identified or if the stolen data was being used for ransom. These shortcomings led to a loss of trust among customers, as they felt the response was insufficient given the scale of the breach.
Furthermore, the plaintiffs argued that Rite Aid’s offer of credit monitoring and identity restoration services was inadequate.
They contended that these measures were not sufficient to address the severity of the breach, especially considering that personal details, including government IDs, were compromised. Many customers expressed frustration that Rite Aid failed to clarify whether the stolen data had been circulated on the dark web, fueling further concern regarding potential misuse of their sensitive information. Critics also argued that the company’s delayed response and lack of transparency aggravated the situation.
The breach occurred when an unknown third party impersonated a Rite Aid employee, gaining access to the company’s business systems. While Rite Aid quickly detected the breach within 12 hours and initiated an internal investigation, the exposure of deeply personal customer information raised alarms. In response, the company is providing compensation and offering measures to restore consumer trust, but the incident has highlighted the vulnerabilities in the company’s cybersecurity practices.
Reference:
