Information relating to nearly 2 million current and former employees of discount variety store company Dollar Tree Inc. has been stolen following a breach at a third-party provider.

Details of the breach first emerged in a filing by Zeroed-In Technologies LLC with the Office of the Maine Attorney General, which stated that 1,997,486 people had been affected in the breach that occurred on Aug. 7 and 8. Zeroed-In is a people analytics and data management company providing Dollar Tree with workforce analytical services.

In a letter to those affected, Zeroed-In said that it discovered suspicious activity related to certain network systems on Aug. 8 and then took steps to secure the systems and launched an investigation into the nature and scope of the activity. The investigation subsequently determined that an unauthorized actor gained access to certain systems.

After the initial investigation could not determine what was stolen, a subsequent investigation completed on Aug. 31 found that data potentially stolen included names, dates of birth and Social Security numbers. The company also ticked off the other standard responses to a data breach: informing law enforcement, reviewing policies and informing those affected, including offering 12 months of credit monitoring services.

What is surprisingly lacking in this story so far has been near silence from Dollar Tree itself, despite the breach affecting its employees. Bleeping Computer contacted Dollar Tree for comment and its only response was to confirm that “Zeroed-In is a vendor that we and other companies use,” that Dollar Tree had been informed of the security incident and that Zeroed-In had “provided notice of the incident to current and former employees.”

The breach may also result in legal action, with law firm Console & Associates P.C. currently investigating a potential class-action lawsuit against Zeroed-In.

Dr. Darren Williams, founder and chief executive at anti-data exfiltration and ransomware prevention company BlackFog Inc., told SiliconANGLE that the impact of the breach on Dollar Tree exemplifies the importance of wisely choosing vendors and ensuring they have proper security controls in place.

“The vulnerabilities associated with third-party access pose a substantial security risk for many enterprises and are commonly targeted by threat actors as it is an efficient way to expand the scope of their breaches,” Williams said. “This threat necessitates a proactive approach to vendor risk management and proper analysis of companies’ network connections. Additionally, it is instrumental that businesses implement advanced, modern technologies that prevent data exfiltration to stay ahead of threat actors that gain access to their systems.”

Photo: Mike Mozart/Flickr