You might be confident in your cybersecurity posture, but if you don’t know how your suppliers approach data protection, you’re still at risk of a huge data breach.
That’s precisely what happened to Dollar Tree. Over the weekend, the well-known discount retailer hit the headlines after falling victim to a supply chain cyber attack. And, it’s estimated over 1.9 million individuals are impacted.
What happened?
This data breach came to light on November 27, 2023, after the people management software company, Zeroed-In Technologies, filed a data breach notification with the Maine Attorney General.
While the notification generally raises more questions than it does answers, a few details are pretty clear.
First, the data breach happened after an unauthorized entity accessed Zeroed-In Technologies’ systems between August 7 and August 8, 2023. During that time, the unknown entity accessed IT systems containing the personally identifiable information of over 1,977,486 individuals, including names, dates of birth, and social security numbers.
In the notice, Dollar Tree is the only customer that Zeroed-In specifically mentions, so we’re not sure if other companies have been impacted by this supply chain attack.
From Dollar Tree’s response to the incident, it appears that the company is keen not to get involved. In a statement, they said: “Zeroed-In is a vendor that we and other companies use. They informed us that they identified a security incident, and they provided notice of the incident to current and former employees.”
To Zeroed-In’s credit, they have promised a year of identity fraud services to impacted individuals. Still, people aren’t happy and, already, there’s been one class action lawsuit filed against Zeroed In and Dollar Tree, with more surely to follow.
Lessons learned from the Dollar Tree breach
While Dollar Tree is seemingly shunning responsibility for the incident, the truth is that supply chain security is every company’s responsibility. As the saying goes, “you are only as strong as your weakest link.”
As was the case in this incident, if one of your SaaS suppliers suffers a data breach involving your data, you’ll also bear the brunt. That’s why supplier due diligence and risk management is so important.
To that end, we recommend adopting a zero-trust approach to supply chain risk management. With this strategy, the goal is to foster granular, real-time visibility and control over data residing outside of your immediate network.
Here’s how to do it in three steps:
Identify your suppliers
Adopting a zero-trust approach to supplier management begins with creating a comprehensive map of your partners. This ensures a clear understanding of who has access to your data. Implement tools like Identity and Access Management to enforce legitimate data access for suppliers. Additionally, automatically encrypt any data shared with third parties by default to restrict access to verified users, minimizing the risk of inadvertent data leaks.
Classify your sensitive data
Safeguarding sensitive data in third-party environments requires a meticulous understanding of its location. Enter data classification—a systematic process of organizing data based on type, sensitivity, metadata, and perceived organizational value. This classification lays the foundation for targeted security measures.
Deploy next-gen DLP
With classified data in hand, adopt a data-centric approach by implementing next-gen data loss prevention (DLP) tools. Cloud collaborations with suppliers and partners often involve applications like Slack, Teams, and Zoom, but traditional DLP solutions fall short in protecting data within these applications.
Enter next-gen DLP, which monitors, classifies, and protects sensitive data across cloud applications and collaboration tools. Polymer DLP works autonomously in third-party apps like Notion, Slack, and ChatGPT.
How Polymer DLP can help
Harnessing the power of natural language processing (NLP), our low-code tool plugs straight into your cloud apps and gets to work right away, scanning your third-party SaaS environments at speed and scale for evidence of sensitive information like PHI, PII, credit card data, and more.
Depending on your needs, Polymer DLP can either redact sensitive data immediately or implement granular controls over who is able to access your sensitive information. The result? The risks of supply chain data exposure drop dramatically without interrupting collaborative efforts, so you can feel more confident in your supplier relationships.