Third-Party Vendor Risk
1.9M Workers Exposed
4-Month Delay
One Leaky Vendor, Two Billion-Dollar Brands
How Zeroed-In Exposed 1.9 Million Workers
How Zeroed-In exposed 1.9 million Dollar Tree & Family Dollar workers and re-wrote the rules of third-party risk
1.9M
Workers Exposed
487GB
Data Stolen
4 months
Disclosure Delay
$1.1B
Market Cap Lost
"On 7 August 2023 it took them one mis-configured S3-style bucket to vacuum up the SSNs, DOBs and payroll records of everyone who ever stocked a $1 picture frame."
When the Buck(stopped) Leaked
| Date (2023) | Milestone |
|---|---|
| 7 Aug | Zeroed-In Technologies (Dollar Tree's HR-analytics vendor) leaves unencrypted, internet-facing database live on public network segment |
| 7–8 Aug | Unauthorised party accesses bucket; 1.9 million employee records exfiltrated (names, DOBs, SSNs, hire dates, salary bands) |
| 27 Nov | Four-month delay ends: Zeroed-In finally begins mailing breach letters—just in time for Black-Friday shopping season |
| 30 Nov | Dollar Tree files notice with Maine & California AGs; total affected population disclosed: ≈ 2 million |
| 11 Dec | Class-action suit lands in Maryland federal court; plaintiffs claim "inadequate vendor oversight" and "reckless delay" in notification |
"An unauthorised third party gained access to Zeroed-In's systems… The exposed data included names, dates of birth and Social Security numbers."
Why a $1-Store Breach Costs More Than a Dollar
1.9 million current & former employees notified—cashiers, overnight stockers, district managers across 16,000+ Dollar Tree & Family Dollar stores
Unencrypted data → perfect identity-theft kits; dark-web vendor priced the dump at $0.50 per record within days of leak
Share price: DLTR slid 5% in two sessions after breach headlines; $1.1 billion in market-cap erased
Regulatory heat: four-month notification lag may violate 40+ state breach laws (most require 60-day notice)
Litigation: 22-plaintiff class action seeks statutory damages of $1,000 per record → theoretical $1.9 billion exposure
How HR Data Became a Sitting Duck
1 Dollar Tree uploads weekly payroll CSVs to Zeroed-In's cloud analytics platform
2 Zeroed-In stores flat files in unencrypted folder on public-facing network segment
(no IP allow-list, no bucket policy)
3 Attacker runs automated scanner, finds open repo, downloads 487 GB archive in < 6 hours
4 Logs show no MFA on Zeroed-In's admin console; default password "Spring2023!" found in breach dump
"Dollar Tree allegedly shared private, unencrypted information… stored in an unencrypted, internet-accessible environment."
Third-Party = Weakest (and Most Expensive) Link
29%
of all breaches in 2023
traced to third-party vendors, up from 22% in 2022 (Verizon DBIR)
$4.55M
average cost
of a supply-chain breach—$370k higher than direct compromise (IBM Cost of a Data Breach 2023)
Multi-brand
collateral risk
Zeroed-In also serves Jack in the Box, Dave & Buster's, Steak 'n Shake
Dollar Tree's "It-Wasn't-Us" Defense Won't Fly in Court
"Retailers can outsource the work, but they can't outsource the liability. Regulators and juries still ask: 'What vendor-security audits did you run?'"
Translation:
PCI-DSS, GDPR-style vendor audits are now table stakes for any company that touches payroll or PII.
Four NIST Controls That Would Have Stopped the Leak
| Control | NIST CSF ID | What Dollar Tree (and You) Must Do |
|---|---|---|
| Encrypt PII at rest | PR.DS-1 | Mandate AES-256 bucket encryption; reject vendors who store plain-text SSNs |
| Cloud-security posture scan | ID.RA-1 | Run weekly CSPM scans; alert on public-read ACLs |
| Vendor access MFA | PR.AC-7 | Require hardware FIDO2 keys for every vendor admin console |
| 60-day breach SLA | RS.CO-2 | Insert contractual notification clock; financial penalties for each day of delay |
The Third-Party Trust Fall
Zeroed-In's database was wide open for months, but the actual exfiltration took seconds—the moment an attacker's script found an unprotected folder.
If a Fortune 120 retailer with 16,000 stores can be humbled by a $1 vendor mistake, what are your third-party connections doing right now?
"What am I doing during those first 39 seconds of a third-party connection?"
References
Secure Your Vendor Risk Before It's Too Late
Don't let your third-party vendors become your biggest liability. Get a comprehensive vendor risk assessment and protect your organization from supply chain attacks.