Giant Tiger Breach

What happened: We’re tracking a March 2024 incident at Giant Tiger (the Canadian discount retailer) in which a third-party vendor handling customer communications was compromised. On April 12, 2024, a dataset claimed to be 2.8 million Giant Tiger customer records was posted on a criminal forum. Giant Tiger says the issue stemmed from a vendor and did not affect store systems or passwords/payment data.  
Data exposed (varies by customer): email addresses (2.8M claimed), and for many customers names, phone numbers, and physical addresses. Giant Tiger’s notices explain the exact fields differ depending on how you interacted with the brand (newsletter/account, GT VIP loyalty, pickup, or home delivery). The forum post also claimed “website activity” was included, which the company did not confirm.  
Threat actor / leak: The dump was advertised on BreachForums; some reporting attributes the listing to a user going by “ShopifyGUY.” Access on the forum required trivial “credits,” effectively making the data widely available.  
When: Giant Tiger detected a possible issue on March 4, 2024, concluded by March 15 that customer information was involved, and began customer notifications. The public leak listing appeared April 12, 2024.  
Company position & regulator notice: Giant Tiger says only contact information was affected (no passwords or payment data), that store systems were unaffected, and that it notified the Privacy Commissioner of Canada.  
  

Why this matters  

Contact data at this scale enables convincing phishing and SMS fraud that can spoof Giant Tiger or delivery updates, and targeted scams using real home addresses. If you shopped online, joined GT VIP, created an account, or subscribed to emails, you’re at elevated risk of follow-on social engineering.  
  

Our take  

• Scope: The most defensible top-line number, based on the leak listing and contemporaneous reporting, is ~2.8M customer emails, with subsets containing names, phones, and street addresses. Giant Tiger corroborates exposure of contact info for subsets of customers but does not confirm any “website activity” field.  
• Vector: Third-party vendor exposure in a customer-engagement/marketing platform-consistent with a growing class of CRM supply-chain incidents.  
    

Timeline  

• Mar 4, 2024 - Giant Tiger detects possible vendor issue.  
• Mar 15, 2024 - Determines customer information involved; begins notifications.  
• Apr 12, 2024 - Dataset advertised on BreachForums; broad press coverage follows.  
    

What customers should do (practical steps)  

1. Expect phishing/texts purporting to be Giant Tiger or delivery updates; don’t click links-navigate directly to the site/app.  
2. Harden your accounts: use a password manager, enable MFA where available, and avoid reusing passwords across sites.  
3. Phone & mail hygiene: enable carrier call-screening, treat unexpected “order” texts as suspicious, and watch for mailers referencing your GT activity.