Home Depot exposes thousands of customers online

Cal Jeffrey

Posts: 4,140   +1,406
Staff member

You may recall that a few years ago hackers gained access to the credit card information of 56 million Home Depot customers. Well, Home Depot has suffered another data breach. However, this time it was not hackers that were to blame. According to Consumerist, whoever designed and manages its website posted customer information on the HomeDepot.com domain without any encryption or any other sort of protection. The data was completely exposed and indexed by search engines.

The compromised information consisted of 13 spreadsheets containing full names, addresses, phone numbers, and email addresses of around 8,000 customers. The documents were apparently part of Home Depot’s installation complaint department as the spreadsheets also contained detailed complaint information such as what was installed (countertop, tile, etc.), the reason for the complaint, and the customer service agent that handled the complaint. There was also at least one facsimile containing the name, address, and signature of a client.

It is unknown how long the data had been exposed, and HomeDepot has since removed it and issued a statement.

“The information was out there, and as hard as it would have been for anyone to find, it shouldn’t have been [out there]. This was an inadvertent human error that we addressed as soon as we discovered it. Although the data was low-risk and not the type of information commonly used for fraud or identity theft, we take the matter very seriously.”

The fact that someone indeed found it and that the information was indexed by each engines (see image), flies in the face of Home Depot’s stance that the information was hard to find. However, since the documents contained no credit card, bank account, or Social Security numbers, it is legally not considered a data breach.

Home Depot and the law looks at the data that was exposed as no more than what someone would find in a telephone book. However, as Consumerist points out, the data also contained transaction information. Looking up a name in a directory is not going to reveal where a person has conducted business and what goods and services they purchased. Nor will it tell what problems they had with the product or service.

A scammer skilled in social engineering, which most are, could do a lot with those Home Depot spreadsheets. Posing as someone from Home Depot might not be that easy. However, when armed with specific information, not only about the customer but about what they had installed and what problems they had with the installation, scammers can use the information to sound very convincing. When posing as a customer service representative, what other information could a malicious party get from the victim?

Home Depot says that they are not going to contact clients who were on the documents as they believe it will open them up to phishing scams, which is a valid concern. Instead, they are asking that customers concerned about their privacy call Home Depot Customer Service.

Screenshot by Consumerist

Permalink to story.

 
I don't think anyone cares about which counter tops Mary Beth is had Home Depot install.
They might care if they ended up having a conversation that went something like:

"Yes, Mary Beth. This is Karen from the Home Depot. We spoke last Wednesday about the countertop we installed in your kitchen on the 17th?"
"Yes."
"Again, we apologize for the chip on the edge, but I have good news. We passed your complaint up to corporate and received authorization to refund the installation fees plus ten percent for your trouble, and we will also send someone out to fix it. Does that sound agreeable to you?"
"Yes! Thank you very much."
"Great. We would like to credit the refund to your credit or debit card for your convenience. Is that okay?"
"Yes."
"Great. If I could just get your credit card number and expiration date, I'll ... hang on let me just calculate the 10 percent ... If I could your credit card information I'll credit it a total of $278.98 immediately."
"That would be wonderful. Thank you. [credit card scammed]. Thank you again."
"It was my pleasure, Mrs. Jones. Thank you for shopping Home Depot and has a great day."
 
I don't think anyone cares about which counter tops Mary Beth is had Home Depot install.
They might care if they ended up having a conversation that went something like:

"Yes, Mary Beth. This is Karen from the Home Depot. We spoke last Wednesday about the countertop we installed in your kitchen on the 17th?"
"Yes."
"Again, we apologize for the chip on the edge, but I have good news. We passed your complaint up to corporate and received authorization to refund the installation fees plus ten percent for your trouble, and we will also send someone out to fix it. Does that sound agreeable to you?"
"Yes! Thank you very much."
"Great. We would like to credit the refund to your credit or debit card for your convenience. Is that okay?"
"Yes."
"Great. If I could just get your credit card number and expiration date, I'll ... hang on let me just calculate the 10 percent ... If I could your credit card information I'll credit it a total of $278.98 immediately."
"That would be wonderful. Thank you. [credit card scammed]. Thank you again."
"It was my pleasure, Mrs. Jones. Thank you for shopping Home Depot and has a great day."

Great post Cal ... lot of pretty smug people here but you nailed it. Home Depot got screwed last year and here they go again. Biggest thing to me is that they seem like a bunch of amateurs and they haven't gotten any better IMHO (Flame away you all).
 
Just bought plants there to plant a balcony garden in a beautiful apartment I moved to in westmont, il near where I used to live shared with an artist roommate. He has painted the walls to look like the the chicago skyline, for example. I applied for a new home depot credit card to get $20 off, and they accidently gave me $40 off. There was some purgatory before getting here, tho, caused by my mother being late on 2 of our credit cards.
 
Back