back to article Rite Aid admits 2.2 million people’s data stolen by criminals

US drugstore chain Rite Aid has admitted that last month's "data security incident" compromised the data of 2.2 million individuals. The admission came in the form of a "data breach notification" submitted to the Office of the Maine Attorney General on Monday, the day Rite Aid said it would start notifying the affected people …

  1. Version 1.0 Silver badge
    Unhappy

    But Original Data Days

    So "Rite Aid admits 2.2 million people’s data stolen by criminals" but not taken by Google? All the time we see lots of stories everywhere about our data being stolen, but very few details about every other data synchronization where companies commercially profit from our details.

    Connor Jones I'm not complaining, thanks for a description of this event, my view is that originally about 40 years ago when peoples data was collected, it was only used to try and help the person who was the source of the data but these days it's only seen as profitable. Oh yes, I appreciate the past long ago when I was collecting only simple items and deleting everything ASAP.

  2. Dave Pickles

    "The stolen data appears to be limited to a relatively short timeframe – only purchases made between June 6, 2017, and July 30, 2018, were affected."

    Why were they holding data on purchasers and purchases from seven years ago??

    1. cyberdemon Silver badge
      Holmes

      I suspect because they are legally required to delete it after 7 years, and so they would be ill-advised to admit that any data older than that had been stolen ..

    2. John Brown (no body) Silver badge

      ...and why such a specific time frame of 13 months? Was this "old" data not really used but legally required to be retained? Why not 12 months worth of data? And if data must be retained for some length of time, surely a rolling monthly process of deleteing old data would be better than having "expired" data sitting around for a year. Legally required data retention usually has maxima and minima that don't include a full year or more of "limbo" data that is past the minimum retention period but still inside the "it's ok to still have it" for over a year.

    3. MachDiamond Silver badge

      "Why were they holding data on purchasers and purchases from seven years ago??"

      It would depend on what products were purchased. There are a myriad number of regulations in the US when it comes to prescription meds so there's a possibility that they might have been required to save the info. Although, they probably didn't just keep what was legally required, but everything else surrounding the transaction as well such as payment method, etc.

      There needs to be a higher standard of data protection in this instance as there can be no way to opt-out of the data storage for prescription meds and if you need them, you need them and can't just decide to forgo getting them due to privacy concerns.

  3. mahan
    Flame

    Solution: An Incentive for Management to Prioritize the Security of Personal Information

    Today, there are almost no consequences for having your customer database stolen. While bad press exists, with the frequency of new breaches, it is becoming less impactful, and an organization is unlikely to lose much goodwill. The cost of experiencing a breach is, therefore, severely diminished.

    It's time for big governments to enact laws that hold the entity collecting personal information responsible for its theft. This could be as simple as a flat rate per affected person and per breach damage cost. The fees don't need to be exorbitant, just significant enough to place them on the risk and budget spreadsheets of companies. Imagine a damage fee per person affected of $5 for personal information and $10 for sensitive information (credit card details, passwords, correspondence, health information).

    This financial risk is all that is needed for companies to start prioritizing this issue. They need to weigh this risk against possible investments in security for their data systems. Consequently, insurance companies would begin offering packages to cover firms against personal information theft damages. These insurance companies would then create a list of security requirements their customers need to meet to be eligible for insurance payouts.

    This is not in any way targeted specifically at Rite Aid, but rather a commentary on the PI-theft situation as a whole.

    TL;DR: Putting a price tag on losing personal information would almost instantly create a new market for the standardization of best practices and auditing for systems and infrastructure handling Personal Information, reducing the risk of fines.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like