In late 2024, Monro, Inc. discovered suspicious activity involving an employee's email. Upon noticing this unusual activity, the company immediately began an investigation. The investigation revealed that between November 21, 2024, and a limited period thereafter, an unauthorized individual accessed the employee's email account and selected files within it.
The company conducted a thorough review of the affected mailbox, which concluded around January 28, 2025. This review determined that the data breach potentially exposed sensitive personally identifiable information (PII) such as names, Social Security numbers, addresses, dates of birth, and ID numbers. Additionally, certain protected health information (PHI), including accident histories collected from employees, may have also been compromised.
The breach impacted thousands of individuals across multiple states. For example, in South Carolina, 2,821 individuals were affected, according to the South Carolina Attorney General's disclosure. In New Hampshire, 2,643 individuals were impacted, as detailed in the New Hampshire Attorney General's disclosure. The breach was also officially reported to the California Attorney General's office on March 24, 2025.
In response to this breach, Monro, Inc. took immediate steps to secure its internal systems and prevent further unauthorized access. These actions included changing passwords, modifying internal email settings and controls, and enhancing employee training to increase awareness and prevent future incidents.
Monro, Inc. is providing affected individuals with complimentary access to Experian IdentityWorks for 12 months. This service includes identity restoration assistance, credit monitoring, and identity theft insurance coverage. Individuals affected by the breach are encouraged to enroll in this service by May 30, 2025, using the activation instructions provided in the notification letter.
Additionally, Monro, Inc. advises all potentially affected individuals to remain vigilant by regularly reviewing bank accounts, credit card statements, and credit reports for any unauthorized activities. The company recommends promptly reporting any suspicious activity or suspected identity theft to local law enforcement, the Federal Trade Commission (FTC), state Attorney General offices, and financial institutions. Individuals can also place fraud alerts or security freezes on their credit files by contacting one of the three major credit reporting agencies: Equifax, Experian, or TransUnion.