You may recall that a few years ago hackers gained access to the credit card information of 56 million Home Depot customers. Well, Home Depot has suffered another data breach. However, this time it was not hackers that were to blame. According to Consumerist, whoever designed and manages its website posted customer information on the HomeDepot.com domain without any encryption or any other sort of protection. The data was completely exposed and indexed by search engines.
The compromised information consisted of 13 spreadsheets containing full names, addresses, phone numbers, and email addresses of around 8,000 customers. The documents were apparently part of Home Depot’s installation complaint department as the spreadsheets also contained detailed complaint information such as what was installed (countertop, tile, etc.), the reason for the complaint, and the customer service agent that handled the complaint. There was also at least one facsimile containing the name, address, and signature of a client.
It is unknown how long the data had been exposed, and HomeDepot has since removed it and issued a statement.
“The information was out there, and as hard as it would have been for anyone to find, it shouldn’t have been [out there]. This was an inadvertent human error that we addressed as soon as we discovered it. Although the data was low-risk and not the type of information commonly used for fraud or identity theft, we take the matter very seriously.”
The fact that someone indeed found it and that the information was indexed by each engines (see image), flies in the face of Home Depot’s stance that the information was hard to find. However, since the documents contained no credit card, bank account, or Social Security numbers, it is legally not considered a data breach.
Home Depot and the law looks at the data that was exposed as no more than what someone would find in a telephone book. However, as Consumerist points out, the data also contained transaction information. Looking up a name in a directory is not going to reveal where a person has conducted business and what goods and services they purchased. Nor will it tell what problems they had with the product or service.
A scammer skilled in social engineering, which most are, could do a lot with those Home Depot spreadsheets. Posing as someone from Home Depot might not be that easy. However, when armed with specific information, not only about the customer but about what they had installed and what problems they had with the installation, scammers can use the information to sound very convincing. When posing as a customer service representative, what other information could a malicious party get from the victim?
Home Depot says that they are not going to contact clients who were on the documents as they believe it will open them up to phishing scams, which is a valid concern. Instead, they are asking that customers concerned about their privacy call Home Depot Customer Service.
Screenshot by Consumerist