Giant Tiger Stores Ltd. says contact information for some of its customers was compromised in an "incident" linked to a third-party vendor it uses.
Alison Scarlett, a spokesperson for the Ottawa-based discount retailer, would not name the vendor on Monday but said Giant Tiger uses the company to manage its customer communications and engagement.
Giant Tiger is working hard to resolve the issue "as quickly and openly as possible," Scarlett said.
"We deeply regret that the incident occurred and remain committed to employing best practices to prevent these types of incidents," she wrote in an email to The Canadian Press.
The breach impacting Giant Tiger is the latest in a string of cybersecurity incidents to hit Canadian organizations. Indigo Books & Music, the LCBO, the Nova Scotia government, the Toronto Public Library and the City of Hamilton in Ontario have all fallen victim to cyber incidents over the last two years.
A web page Giant Tiger set up to provide updates on the incident said the retailer first learned of "a possible security incident" on March 4. By March 15, it had become clear customer information was involved.
"An unauthorized third party was able to obtain copies of information about our customers," the company said.
An email about the incident sent to affected customers shows those who subscribe to Giant Tiger emails or have an account with its website may have had their name and email address compromised.
Members of its GT VIP loyalty program along with customers who placed orders that were picked up at a local store may have had their names, emails and phone numbers compromised.
Names, email addresses, home addresses and phone numbers for anyone who ordered products for home delivery may also have been part of the breach.
No payment information or passwords were part of the data compromised, said Scarlett. Giant Tiger store systems and applications were also unaffected.
There is no evidence so far that any information that was compromised has been misused, Scarlett added.
However, Giant Tiger has begun contacting customers about the incident, urging them to exercise caution when opening emails and receiving phone calls that appear to come from the retailer.
"Fraudsters can manipulate the sender's email address or outgoing phone number to make you believe that the email or text you are receiving is from a legitimate source," Giant Tiger's email to customers warned.
"Be particularly vigilant when communications request your personal information, payment information or passwords. Giant Tiger will never ask you for your payment information and password, and we only request personal information if you initiated contact with us. For example, we may ask you to confirm your identity if you call our customer service team."
The company also told customers they can contact Giant Tiger's customer service to have their information deleted but it will take two to four days for the process to be carried out.
To help prevent future incidents, Giant Tiger told customers it has notified the privacy commissioner about the breach and is working with vendors to ensure their security measures "continue to meet the highest standards."
Statistics Canada data shows the country saw 74,073 police-reported cybercrimes in 2022, up from 71,727 in 2021 and 33,893 in 2018.
Cybercrime is often under-reported because of the stigma, embarrassment and repercussions that can be associated with being duped, experts have long said.