In November 2023, Dollar Tree and its subsidiary Family Dollar disclosed that personal data belonging to approximately 1.98 million current and former employees had been compromised. The breach did not occur at Dollar Tree's own systems. It originated at Zeroed-In Technologies, a workforce analytics vendor that processed employee data on behalf of Dollar Tree.
The incident was a textbook example of third-party supply chain risk, where an organization's security posture is only as strong as the weakest vendor in its ecosystem. Dollar Tree could have had the most robust internal security program imaginable, and it would not have mattered. The data was stolen from a vendor they trusted with their employees' most sensitive information.
What Happened
Zeroed-In Technologies, a company specializing in workforce analytics and human resources data processing, experienced a security incident on August 7-8, 2023. During this two-day window, an unauthorized actor accessed Zeroed-In's systems and exfiltrated data belonging to multiple clients, including Dollar Tree and Family Dollar.
The compromised data included:
- Full names
- Social Security numbers
- Dates of birth
This combination of personally identifiable information is particularly dangerous. Social Security numbers, names, and dates of birth together form the core identity package needed for identity theft, fraudulent credit applications, and tax fraud.
Zeroed-In notified Dollar Tree of the breach in September 2023. Dollar Tree then had to determine which of its employees were affected, a process complicated by the need to coordinate between Zeroed-In's forensic findings and Dollar Tree's own employee records. Notification letters were sent to affected individuals in late November.
The Third-Party Risk Problem
The Dollar Tree breach illustrates a problem that security professionals have warned about for years: organizations routinely share their most sensitive data with third-party vendors that may have weaker security controls than the organizations themselves.
Dollar Tree employs over 200,000 people across more than 16,000 stores. As a major retailer, the company is subject to PCI DSS requirements for payment card data and maintains a security program appropriate for a Fortune 500 company. But when employee data was sent to Zeroed-In for workforce analytics processing, it left the protective envelope of Dollar Tree's security controls.
Zeroed-In Technologies, as a smaller vendor, likely operated with a fraction of the security budget and staffing that Dollar Tree maintains. This is the fundamental asymmetry of third-party risk: large enterprises share sensitive data with smaller vendors that cannot match their security investment.
The problem is compounded by the sheer number of vendors that a large enterprise engages. A company like Dollar Tree may work with hundreds or thousands of third-party vendors, each of which has some level of access to the company's data, systems, or network. Assessing and monitoring the security posture of every vendor is an enormous undertaking that most organizations struggle to accomplish effectively.
Workforce Analytics: A Growing Attack Surface
The role of Zeroed-In Technologies, workforce analytics, points to a growing category of third-party risk. HR technology vendors handle some of the most sensitive data in any organization: Social Security numbers, compensation data, performance evaluations, health information, and background check results.
The workforce analytics market has exploded in recent years as companies seek data-driven insights into hiring, retention, compensation, and productivity. This growth has created a sprawling ecosystem of vendors that ingest, process, and store employee data, often with broad access to the most sensitive categories of personal information.
Many of these vendors are startups or small companies that prioritized product development and market growth over security maturity. They may lack dedicated security teams, formal incident response plans, or the financial resources to implement enterprise-grade security controls.
The Dollar Tree breach was not unique in this regard. Throughout 2023 and 2024, multiple HR technology vendors were breached, including payroll processors, benefits administrators, and recruiting platforms. Each breach affected the employees of multiple client organizations, creating a multiplier effect where a single vendor compromise impacts millions of individuals.
The Notification Timeline
One of the criticisms leveled at both Zeroed-In and Dollar Tree was the notification timeline. The breach occurred on August 7-8. Zeroed-In notified Dollar Tree in September. Affected employees were not notified until late November, more than three months after the breach.
During those three months, 1.98 million people whose Social Security numbers had been stolen were unaware and unable to take protective action. They did not know to monitor their credit reports, place freezes, or watch for signs of identity theft.
Both companies attributed the delay to the complexity of the forensic investigation and the need to accurately identify affected individuals. This explanation is familiar in breach disclosures, and it reflects a genuine operational challenge. However, it also reflects the prioritization of accuracy over speed in a context where speed matters enormously to the affected individuals.
Some states have enacted breach notification laws with specific timelines. The patchwork of state requirements means that the acceptable notification window varies by jurisdiction, but the trend is toward shorter mandatory timelines.
Legal Consequences
Multiple class-action lawsuits were filed against both Dollar Tree and Zeroed-In Technologies following the disclosure. The lawsuits alleged:
- Failure to implement adequate security measures to protect employee data
- Failure to conduct adequate due diligence on the security practices of third-party vendors
- Unreasonable delay in notifying affected individuals
- Negligence in the handling of sensitive personal information
The lawsuits sought damages for the affected employees, including the cost of credit monitoring, compensation for time spent addressing identity theft risks, and statutory damages under various state data protection laws.
For Dollar Tree, the lawsuits raised an important legal question: to what extent is a company liable for a breach that occurs at a third-party vendor? Dollar Tree did not lose the data from its own systems. But it chose to share that data with Zeroed-In and, plaintiffs argued, had a duty to ensure that Zeroed-In would protect it adequately.
Vendor Risk Management Lessons
The Dollar Tree breach reinforced several vendor risk management principles:
Data minimization with vendors: Only share the minimum data necessary for the vendor to perform its function. If Zeroed-In needed to perform workforce analytics, did it need Social Security numbers? In many cases, anonymized or pseudonymized data could serve the analytical purpose without the identity theft risk.
Contractual security requirements: Vendor contracts should include specific security requirements, breach notification timelines, and audit rights. Many organizations treat vendor contracts as procurement documents rather than security instruments.
Ongoing monitoring: A vendor security assessment at contract signing is necessary but insufficient. Vendor security postures change over time. Continuous monitoring, periodic reassessments, and verification of security controls are essential.
Incident response coordination: Organizations need pre-established procedures for coordinating incident response with vendors. The three-month gap between breach and notification suggests that coordination protocols were not well-defined.
How Safeguard.sh Helps
The Dollar Tree breach demonstrates that your security perimeter extends to every vendor that touches your data. Safeguard.sh helps organizations manage the software supply chain dimension of third-party risk:
- Third-party software inventory tracks the software components and services that your vendors deploy, giving you visibility into the security posture of the tools processing your data.
- Vulnerability monitoring across the supply chain alerts you when vulnerabilities are discovered in software used by your critical vendors, enabling proactive conversations about patching and remediation.
- Policy enforcement defines and enforces security standards that vendor software must meet before it is approved for use in your environment, creating a consistent security baseline across your extended enterprise.
- Risk scoring evaluates the aggregate risk of your vendor ecosystem, identifying concentrations where a single vendor compromise would have outsized impact on your organization.
The Dollar Tree breach is a reminder that your employees' data does not stop being your responsibility when it leaves your network. Visibility into your entire supply chain, including the vendors you trust with sensitive data, is not optional.