The third-party security incident stemmed from Zeroed-In Technologies, a people analytics and data management company.
On August 8, 2023, Zeroed-In detected suspicious activity on its systems and launched an investigation.
“Through the investigation, it was determined that an unauthorized actor gained access to certain systems between August 7, 2023, and August 8, 2023,” the letters to the affected individuals stated.
However, Zeroed-In could not authoritatively determine which files the threat actor had accessed.
“While the investigation was able to determine that these systems were accessed, it was not able to confirm all of the specific files that were accessed or taken by the unauthorized actor.”
Dollar Tree’s third-party data breach exposed sensitive employee information
A subsequent review of the stored information determined that the attackers accessed the victims’ sensitive data.
“Therefore, Zeroed-In conducted a review of the contents of the systems to determine what information was present at the time of the incident and to whom the information relates,” said Dollar Tree.
Data attributes exposed by the third-party data breach include the victims’ names, dates of birth, and/or Social Security numbers. These details are a goldmine for criminals interested in fraud and identity theft.
Approximately 1,997,486 Dollar Tree and Family Dollar employees were impacted. According to a regulatory filing with the Office of the Maine Attorney General, “applicants and current and former employees of its clients” were impacted.
The Linthicum, Maryland-based company secured its network, informed law enforcement, and reviewed its internal policies to prevent similar data breaches. Additionally, it offered 12 months of credit monitoring, identity restoration services, and identity theft insurance services with Transunion to protect the victims’ sensitive data from exploitation by threat actors.
“Cybercriminals can use the stolen Social Security numbers and other personal data to commit identity fraud, such as applying for credit in victims’ names,” said Paul Bischoff, Consumer Privacy Advocate at Comparitech. “This breach occurred back in August, so attacks might have already begun.”
The status of the stolen personal data is unclear for now, but several law firms, including Console Associates, are considering class action lawsuits against the people analytics firm.
Third-party data breaches highlight risk to customers
Dollar Tree’s third-party data breach highlights the risk vendors pose to primary organizations, underscoring the need for incorporating vendor risk management into the company’s cybersecurity strategy.
“Breaches of this type underscore the need for companies to ensure that their technology partners keep their operating systems and applications up to date, protecting against cyberattacks,” said Chris Hauk, Consumer Privacy Champion at Pixel Privacy.
Although the discount store is somewhat inculpable, it has yet to issue a comprehensive statement about the third-party data breach.
It remains unclear if the retail chain is supporting the third-party data breach victims in any way. Primary organizations are still responsible for ensuring that the personal data they provide to third parties is stored safely. Subsequently, they should lead from the front when responding to employee data breaches.
“As is typical with breaches like this, Dollar Tree is laying the blame squarely on a third-party vendor, Zeroed-In,” said Bischoff.
Dollar Tree operates 16,622 locations in the U.S. and Canada; the third-party data breach impacted workers in both countries.