Supply chain, Breach

Dollar Tree Supply Chain Attack Could Affect Millions of People

Hacker attack computer hardware microchip while process data

Discount retailer Dollar Tree has been hit by a supply chain cyberattack that has put some two million people’s personal information at risk after a digital break-in of third-party service provider Zeroed-In Technologies.

The Fort Myers, Florida-based Zeroed-In is a data and technology consultancy that provides workforce analytical services to its clients.

Dollar Tree, which operates roughly 16,000 eponymous and Family Dollar outlets in North America, was struck in a manner reminiscent of the massive 2020 Russian-backed cyber hit on SolarWinds.

So far, there is no word on who attacked Dollar Tree through Zeroed-In nor if a ransom demand or data extortion threat has been posted.

Names, Birth Dates and Social Security Numbers Stolen

The cyber operation reportedly occurred on August 7-8, 2023. Information stolen during the attack includes names, birth dates, and social security numbers. Zeroed-In said it has not yet been able to identify all of the specific files that were accessed or taken by the attacker.

In a breach notification filing with the Maine Attorney General’s Office, (some 7,000 Maine residents were potentially affected) the company revealed that the incident was identified on August 8, and that a threat actor had unauthorized access to certain systems between August 7-8.

“While the investigation was able to determine that these systems were accessed, it was not able to confirm all of the specific files that were accessed or taken by the unauthorized actor," the letter reads.

"Therefore, Zeroed-In conducted a review of the contents of the systems to determine what information was present at the time of the incident, to whom the information relates, and to which Zeroed-In customers the information belonged. This review was completed on August 31, 2023 and Zeroed-In notified [Dollar Tree] of the event because certain individuals associated with them were identified during the review.”

The company has notified the affected individuals with instructions on enrolling in a 12-month identity protection and credit monitoring service.

It’s not clear if other Zeroed-In customers in addition to Dollar Tree and Family Dollar have been impacted by the security breach.

Security Experts Comment on Breach

Security experts weighed in on the breach, pointing out the cyber danger of supply chain attacks.

Etay Maor, Cato Networks senior director of security strategy at Cato Networks, said that supply chain attacks exploit the assumed trust between organizations.

"On one hand, organizations are forced to work closely with third-party providers to be competitive, while on the other hand, if these third parties are not secure, which is out of their control, it inherently puts organizations at risk and challenges their ability to remain secure," Etay said. "Determined cyberattackers will keep probing an organization’s defenses until they find the weakest chain in the supply chain, which in some cases may be your service provider."

Lior Yaari, chief executive and founder of Grip Security, said that the "reliance on SaaS services" shows the unanticipated risk companies face.

"Dollar Tree may have done everything perfectly, but if one of their SaaS vendors has shortcomings in their security, it puts Dollar Tree at risk," Yaari said. "Their vendor likely had all the required certifications, yet they experienced a breach that affected millions of customers. There is a fundamental flaw that needs to be addressed or this will continue to happen, and more companies will be impacted.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.