In response to news that Home Depot sent some Canadian customers the order data of hundreds of other of the company’s customers (see links at bottom), cybersecurity experts commented below on next steps that Home Depot should take immediately to help inform and prepare those whose data has been compromised.
The data release from some of Home Depot\’s customers in Canada is unusual, in that the breach seems to be the result of an internal system error rather than an external attack. Still, releasing home and email addresses and recent order confirmations could be gold for a malicious actor. Personal information like that can be leveraged into a convincing phishing email, which could lead to the affected customers becoming victims.
While this appears to be a misconfiguration, there are tools available that can identify misconfigured systems and recognize unusual behavior to keep data breaches like this one from happening.
We often think of data breaches as the consequence of a threat actor infiltrating a network and gaining access to a sensitive data set. The majority of data breaches are small in the number of records exposed and are caused by human error when either policies are set wrong or data is sent to the wrong people. Fortunately, the harm that can come from this kind of data breach is limited and nowhere near what a threat actor can do with the same information.
We don’t really know how it happened but it sounds like possibly an internal error. If one of those emails landed in the hands of an attacker, it’s like early Christmas for them. Any attacker would otherwise have to pay big money for real time data on actual orders.
After this event, any attacker with that information on orders in process or ready can just call or send a look-alike email and say “Sorry about this data breach, let us offer you this $50 gift card – please click here to receive it.” And then, a smart attacker would send a follow up email or a text to each consumer whose data was leaked, saying “we’re sorry – please check your email, we’ve just sent you a gift card as a valuable customer. You can also access your gift card by clicking here.” Or they could pretend to call from HD Customer Service to collect the complete credit card information.
Home Depot really needs to get in front of this immediately to beat attackers to the punch. They need to let their consumers know what to do next – and to be especially aware that bad actors may be calling, emailing or texting, displaying the last few digits of their card and recent orders, and asking these consumers to click through to links that will extract valuable information from them, drop ransomware or other malware, or do other damage.
They should alert customers on how to look up details of incoming emails from Home Depot to verify the emails are authentic and not from an attacker. And they should also let customers know immediately that they may receive phone calls, texts or emails that say they’re from Home Depot, but please be assured we will not be calling or texting, and please verify all incoming emails by checking details.
Merely reporting a breach without informing consumers of attacks they might expect and how to avoid them is like diagnosing a treatable illness but withholding possible treatments. It’s potentially cyber malpractice.