A threat actor has reportedly claimed responsibility for a March 2024 data breach that affected the Canadian retail chain Giant Tiger, which compromised 2.8 million customer records.
The breach, which Giant Tiger confirms happened on March 4, happened because of a cybersecurity incident with one of the company’s third-party vendors.
“In March 2024, the Canadian discount store chain Giant Tiger Stores Limited, suffered a data breach that exposed over 2.8 million clients,” the threat actor said while dumping the stolen data on a hacker forum. “The breach includes over 2.8 million unique email addresses, names, phone numbers, and physical addresses.”
While there hasn’t yet been a confirmation on the claim by either the company or any involved parties, media reports have been able to trace a member comment on the forum that said, “I finally opened 60 of the 60 pages of the database section!”
Data available for free
According to reports, the hacker has dropped the data set for free on a hacker forum, but the download link can only be unlocked by spending “8 credits.” Credits are typically earned by a member through commenting on existing posts or contributing new posts.
The caption made with the dump claims that the dataset is “full” and, on requests of a “preview” of sample data by members, displays a small snippet of the customers’ personal data.
On April 12th, to make it easy for users to check if their information was hacked, breach tracking service HaveIBeenPwned added the leaked database to its website.
The incident contributed a total of 2,842,669 breached records to the HIBP database, of which the service noted that 46% were duplicates already present in its records.
As email IDs and phone numbers have been compromised in this breach, Giant Tiger customers should exercise caution while responding to messages or emails received from the chain regarding payment information or alerts for payment completion.
Breach through third-party
Giant Tiger, in the statement issued on March 23, said they became aware of issues that affected a “third party vendor” the company uses to manage interactions with customers.
Because of the nature of business operations handled by the said third party, the company said, the compromised information may vary by individual. Information may include the names and email addresses of the customers who either subscribed to Giant Tiger emails or had accounts created on its official website.
Additionally, it may include the name, address, and phone numbers of the Giant Tiger VIP loyalty members or customers placing an online order for delivery or pick up at a local store.
“We deeply regret that the incident occurred,” the chain said in a statement. “We want to assure you that we are making every effort to resolve the incident as quickly and as transparently as possible.” The company said that it has sent notices to all relevant customers informing them of the situation.