Hacker claims responsibility for Giant Tiger hack and leaks millions of data online
A hacker has claimed responsibility for a recent Giant Tiger data breach that leaked sensitive information from millions of customers.
BleepingComputer recently saw a new thread on an underground forum titled “Giant Tiger Database – Leaked, Download!” which included a message from the threat actor claiming: “In March 2024, Canadian discount retail chain Giant Tiger Stores Limited… suffered a data breach that exposed more than 2.8 million customers. The breach includes more than 2.8 million unique email addresses, names, phone numbers and physical addresses.”
In addition to this information, the database also contains “website activity” from Giant Tiger customers, the leaker claimed.
Giving it away
Giant Tiger has more than 260 stores across Canada and reported 2021 annual sales of approximately $2 billion and 10,000 employees.
In a statement issued to BleepingComputerGiant Tiger essentially confirmed the leak and shifted the blame to an unnamed third party:
“On March 4, 2024, Giant Tiger became aware of security issues relating to a third-party vendor we use to manage customer communications and engagement,” the statement read. “We have determined that the contact information of certain Giant Tiger customers was obtained without consent. We have sent a message to all relevant customers to inform them of the situation.”
“No payment information or passwords were involved.”
While this type of data is usually sold on the dark web, in this case it was actually provided for free. Whoever wanted to obtain it only had to spend 8 forum “credits,” a virtual forum currency obtained by posting new threads, commenting, and generally participating in forum activities.
The database has now been added to the Am I Pwned? website, where it said almost half (46%) of the records were already in place. This means that some of Giant Tiger’s customers have already been compromised elsewhere in the past.