The Home Depot exposed private order confirmations of hundreds of Canadian consumers on October 28, containing names, physical addresses, email addresses, order details and some credit-card information.
One customer posted a screenshot of his inbox on Twitter, filled with other people’s order confirmations. The Home Depot replied with a confirmation:
Thank you for reaching out to us. We are aware of what occurred this morning and can confirm that this issue has now been fixed. This issue impacted a very small number of our customers who had in-store pick-up orders. Please DM us with any additional questions.— Home Depot Canada (@HomeDepotCanada) October 28, 2020
Eventually, more reports surfaced on Twitter. According to emails obtained by BleepingComputer, information was revealed such as the customer's name, order number along with QR code, pick-up store address—or in some cases the customer's home address, items in the order, and payment receipt containing the last 4 digits of the payment card number.
“We often think of data breaches as the consequence of a threat actor infiltrating a network and gaining access to a sensitive data set,” Mounir Hahad, Head of Juniper Threat Labs tells RIS. “But, according to Verizon DBIR, human error is the third leading cause of data breaches when either policies are set wrong or data is sent to the wrong people."
Later that night Home Depot replied again on Twitter: “Thank you for reaching out. This systems error has been fixed and impacts a very small number of customers who had placed orders on our Canadian http://Homedepot.ca website. If you haven't already, please send us a DM so that we can help you.”
“We don’t really know how it happened, but it sounds like possibly an internal error,” Chloé Messdaghi, VP of Strategy, Point3 Security, says. “If one of those emails landed in the hands of an attacker, it’s like early Christmas for them. Any attacker would otherwise have to pay big money for real time data on actual orders.
“Home Depot really needs to get in front of this immediately to beat attackers to the punch. They need to let their consumers know what to do next – and to be especially aware that bad actors may be calling, emailing or texting, displaying the last few digits of their card and recent orders, and asking these consumers to click through to links that will extract valuable information from them, drop ransomware or other malware, or do other damage.
“Merely reporting a breach without informing consumers of attacks they might expect and how to avoid them is like diagnosing a treatable illness but withholding possible treatments. It’s potentially cyber malpractice.”
While the snafu seems to be an internal error, releasing home and email addresses and recent order confirmations could be gold for a malicious actor.
“While this appears to be a misconfiguration, there are tools available that can identify misconfigured systems and recognize unusual behavior to keep data breaches like this one from happening,” Saryu Nayyar, CEO, Gurucul says.