2024 Cybersecurity

Is 2024 the year of the data breach? It certainly seems like it with what's happened to AT&T, Ticketmaster, and Advanced Auto Parts.

Now, less than a year after suffering through filing for bankruptcy and a spate of store closings, Rite Aid has gone public with its discovery of an “incident” that involved “certain consumers’ personal information," too.

In its disclosure, the company said that on June 6, 2024, an unknown third party compromised certain business systems by impersonating a Rite Aid employee. The company said it detected the incident within 12 hours and immediately launched an investigation to terminate the unauthorized access, remediate affected systems and ascertain if any customer data was impacted. 

Are you affected?

If you are a Rite Aid shopper or use its pharmacy to fill prescriptions, you no doubt are concerned about the safety of your personal data. To that end, the company admitted that the data included:

• Purchaser name

• Address

• Date of birth 

• Driver’s license number or other form of government-issued ID…

...“presented at the time of a purchase between June 6, 2017, and July 30, 2018.”

However, Rite Aid said no Social Security numbers, financial information or patient information was impacted by the incident. The company did not release the total number of records compromised in the breach.

The company said it is mailing letters to any potentially affected consumer who was associated with a mailing address in its systems.

“We regret that this incident occurred and are implementing additional security measures to prevent potentially similar attacks in the future," the company said in its announcement. 

"We are committed to protecting consumers’ information, and anyone with additional questions may call our dedicated assistance line toll-free at (866) 810-8094 from 8 a.m. to 5:30 p.m. Central Time, Monday – Friday, excluding holidays.”

“If you are a Rite Aid consumer who did not receive a letter regarding this incident, but you would like to know if you were affected, please call our dedicated assistance line."

In its report on the second quarter of 2024, the Identity Theft Resource Center (ITRC) found the number of publicly reported data breaches declined 12% over the second quarter of 2023. However, the number of people affected by those breaches surged, rising to 1,041,312,601, a 1,170% increase over the same period in 2023.

How many “smart” devices are in your home? And how many are vulnerable to hackers?

Those are not questions many consumers ask themselves but should. Thermostats, garage door openers – anything that can be controlled using your smartphone – are connected to the internet.

The Federal Communications Commission (FCC) is creating a voluntary cybersecurity labeling program for Internet of Things (IoT) devices and other consumer-facing products that rely on an internet connection. The idea is to make consumers more aware that these devices are connected to the internet and, just like PCs and tablets, need protection.

Dominic Chorafaklis, a principal at cybersecurity firm Akouto, says the FCC’s move is a step in the right direction but that a lot more needs to be done.

How concerned are manufacturers about security?

“The companies that make consumer IoT devices tend to be more concerned about keeping their products cheap and simple than about making them secure, which does come at a cost,” he told ConsumerAffairs. “Even when security features are built in, they often rely on consumers taking steps to enable them and configure them correctly.”

And many times, consumers don’t. They often keep the default login, which tends to be very simple and very hackable.

Tim Mackey, head of Software Supply Chain Risk Strategy at Synopsys Software Integrity Group, says the U.S. is just catching up with the rest of the developed world by taking this step.

“From a consumer perspective, this new program is completely voluntary,” Mackey said. “That means that we won’t suddenly see an influx of certified devices on store shelves or from online retailers. Instead, consumers should expect to see manufacturers who take cybersecurity seriously aggressively pursuing certification.”

Some will and some won’t. Mackey says consumers should look for the certification label and QR code when shopping for smart devices because their security will be the most robust.

The weakest link

Maria-Kristina Hayden is CEO and founder of OUTFOXM, a cyber hygiene and resiliency company. She comes from a background in U.S. intelligence, where cybersecurity is a top priority. She points out that one weak IoT device in a home can grant an attacker access to all other devices on that home network.

“Consumers must be provided with easy-to-understand instructions about choosing secure IoT devices and how to configure settings,” she told us. “This is where the FCC's proposal should really help.”

The FCC says the smart products covered by its new rule and that meet certain requirements will be able to use the label on packaging and advertising, similar to the ENERGY STAR label that shows that a product is energy efficient. Outside, accredited research labs will perform the testing.