Monro, Inc. Data Breach Exposes SSNs, Affecting Thousands Across the US

In late 2024, Monro, Inc. discovered suspicious activity involving an employee's email. Upon noticing this unusual activity, the company immediately began an investigation. The investigation revealed that between November 21, 2024, and a limited period thereafter, an unauthorized individual accessed the employee's email account and selected files within it.

The company conducted a thorough review of the affected mailbox, which concluded around January 28, 2025. This review determined that the data breach potentially exposed sensitive personally identifiable information (PII) and certain protected health information (PHI) of 112,458 Americans.

Information Exposed:

• Names
• Social Security numbers
• Addresses
• Dates of birth
• ID numbers
• Certain health information
• Accident history

Monro, Inc. reported this data breach to several state attorneys general offices, including California, South Carolina, and New Hampshire.

Impact by State:

• Massachusetts: 5,026 residents
• South Carolina: 2,821 residents
• New Hampshire: 2,643 residents
• Rhode Island: 975 residents

Monro, Inc.'s Response

In response to this breach, Monro, Inc. took immediate steps to secure its internal systems and prevent further unauthorized access. These actions included changing passwords, modifying internal email settings and controls, and enhancing employee training to increase awareness and prevent future incidents.

Monro, Inc. is providing affected individuals with complimentary access to Experian IdentityWorks for 12 months. This service includes identity restoration assistance, credit monitoring, and identity theft insurance coverage. Individuals affected by the breach are encouraged to enroll in this service by May 30, 2025, using the activation instructions provided in the notification letter.

Additionally, Monro, Inc. advises all potentially affected individuals to remain vigilant by regularly reviewing bank accounts, credit card statements, and credit reports for any unauthorized activities. The company recommends promptly reporting any suspicious activity or suspected identity theft to local law enforcement, the Federal Trade Commission (FTC), state Attorney General offices, and financial institutions. Individuals can also place fraud alerts or security freezes on their credit files by contacting one of the three major credit reporting agencies: Equifax, Experian, or TransUnion.