Dollar Tree confirms significant data breach

A supply chain attack resulted in stolen Social Security Numbers

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

UPDATE: In a statement, a Dollar Tree spokesperson told TechRadar Pro, “Zeroed-In is a vendor that we and other companies use. They informed us that they identified a security incident, and they provided notice of the incident to current and former employees.”

Retail giant Dollar Tree has become the latest victim in a long list of supply-chain attacks.

In a data breach notification filed with the Maine Attorney General, the company’s service provider Zeroed-In Technologies was breached, and sensitive data from its client stolen over August 7 and 8 2023.

Reader Offer: $50 Amazon gift card with demoPerimeter 81’s Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?)

Potential for class-action lawsuits

So far, it was confirmed that at least some of the data belonged to the employees of Dollar Tree and Family Dollar.

“While the investigation was able to determine that these systems were accessed, it was not able to confirm all of the specific files that were accessed or taken by the unauthorized actor,” the company said in a letter sent to the victims,BleepingComputerreports.

“Therefore, Zeroed-In conducted a review of the contents of the systems to determine what information was present at the time of the incident and to whom the information relates.”

Besides notifying the victims, Zeroed-In enrolled them in a year-longidentity protectionand credit monitoring service.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The media are also reporting that different law firms started investigating the breach to see if there is any potential for a class-action lawsuit against Zeroed-In.

Console & Associates, for example, set up a dedicated landing page saying “Our data breach lawyers are eager to speak to victims of the ZeroedIn Technologies data breach to determine what damages they sustained and what compensation may be available to them.”

The company is currently silent on the matter, as there is nothing on its newsroom site or Twitter. The type of attack that Zeroed-In suffered remains a mystery. We don’t know if it was infostealing malware, or if the company suffered a ransomware attack.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics