Canadian retail chain Giant Tiger disclosed a data breach in March 2024.
A threat actor has now publicly claimed responsibility for the data breach and leaked 2.8 million records on a hacker forum that they claim are of Giant Tiger customers.
Data breach monitoring service HaveIBeenPwned has added the leaked database to its website to make it easy for users to check if their information was compromised.
The discount store chain operates over 260 stores and employs 8,000 people across Canada.
2.8 million customer records leaked online
On Friday, BleepingComputer noticed a post titled "Giant Tiger Database - Leaked, Download!" surfacing on a hacker forum.
The threat actor behind the post claims to have uploaded the "full" database of Giant Tiger customer records stolen in March 2024.
"In March 2024, the Canadian discount store chain Giant Tiger Stores Limited... suffered a data breach that exposed over 2.8 million clients," states the threat actor.
"The breach includes over 2.8 million unique email addresses, names, phone numbers and physical addresses."
The stolen data in the dump, claims the threat actor, additionally includes the "website activity" of Giant Tiger customers.
"I finally opened 60 of the 60 pages of the database section!" replied one forum member to the post, with others requesting to preview a sample of the data set. The threat actor obliged and posted a small snippet.
The data set has been leaked essentially for free. Although the download link to the set has to be unlocked by spending "8 credits," such credits are typically trivially generated by forum members by, for example, commenting on existing posts or contributing new posts.
Threat actors often breach companies and steal sensitive data to blackmail them and extort money. Failing successful extortion, a threat actor may deliberately leak the stolen data online or sell it off on dark web marketplaces to buyers interested in conducting identity theft and phishing attacks.
Breach caused by a third-party vendor
BleepingComputer has not verified the authenticity of the data set, however, we did reach out to Giant Tiger with questions regarding the leak.
Without commenting on the authenticity of the leaked data, a spokesperson responded:
"On March 4, 2024, Giant Tiger became aware of security concern related to a third-party vendor we use to manage customer communications and engagement," a Giant Tiger spokesperson told BleepingComputer.
"We determined that contact information belonging to certain Giant Tiger customers was obtained without authorization. We sent notices to all relevant customers informing them of the situation."
"No payment information or passwords were involved."
Giant Tiger declined to share the name of the third-party vendor in question.
Records added to HaveIBeenPwned
As of April 12th, the leaked data set has been added to the "Have I Been Pwned?" database.
HaveIBeenPwned (HIBP) is a free online service that allows users to check if their data was compromised in known data breaches.
The number of breached records associated with this incident added to the HIBP database is 2,842,669, with the service stating that 46% of these records were already in its database.
Giant Tiger customers should be wary of any suspicious emails or incoming communications that claim to be from the retailer. These could very likely be targeted phishing attempts from threat actors.
Although no payment information or passwords were exposed in this breach, signing up for an identity monitoring service could be beneficial to customers in preventing them from becoming victims of identity theft.