Discount retailer Giant Tiger says customer data was compromised in third-party breach

Discount retailer Giant Tiger says contact information for some of its customers was compromised in an “incident” linked to a third-party vendor it uses.

Alison Scarlett, a spokesperson for the Ottawa-based discount retailer, said it would not name the vendor on Monday but said Giant Tiger uses the company to manage its customer communications and engagement.

Giant Tiger is working hard to resolve the issue “as quickly and openly as possible,” Scarlett said.

The retailer first learned of the security incident on March 4, and concluded that customer information was involved by March 15, the company wrote in an email to customers.

Once it became aware of the issue, Scarlett says Giant Tiger began contacting customers about the incident, urging them to exercise caution when opening emails and receiving phone calls.

The email indicated that the compromised information varied between customers. It included the names and email addresses of those who subscribe to Giant Tiger emails.

Loyalty members and those who placed online orders for in-store pickups might have had their names, emails and phone numbers compromised.

Some customers who placed online orders for home delivery may have had that same information plus their street addresses compromised.

Scarlett, the spokesperson, said the number of customers impacted by the breach correlates to each program and did not give a specific figure.

Latest Canadian org hit by cybersecurity incident

“We’re hearing about third-party breaches happening more often,” said Ritesh Kotak, a cybersecurity technology analyst and lawyer in Ontario.

These types of breaches usually happen when a company collects data and gives it to a third party for marketing and advertising purposes, Kotak said. Customers may consent for this kind of data collection by agreeing to a company’s terms of service.

If those third-party organizations “don’t have the proper cybersecurity protocols in place or the right privacy protocols and [they] get breached, then your information is out there.”

Users with compromised data should monitor their accounts — and pay attention to emails, he said.

“Hackers and fraudsters may use a database of hacked information to send you links, or what we call phishing links, to collect further information or get you to purchase something.”

Scarlett says no payment information or passwords were part of the data compromised. The company said it has hired cybersecurity experts to help conduct an independent investigation.

Giant Tiger store systems and applications were also unaffected.

“We deeply regret that the incident occurred and remain committed to employing best practices to prevent these types of incidents,” Scarlett said in an email to The Canadian Press.

The breach impacting Giant Tiger is the latest in a string of cybersecurity incidents to hit Canadian organizations.

Indigo Books & Music, the LCBO, the Nova Scotia government, the Toronto Public Library and the City of Hamilton in Ontario have all fallen victim to cyber incidents over the last two years.