Home Depot Canada scrambles to repair customer data breach

By Jeff Domansky, Oct 30, 2020

Another day, another serious data breach!

This time it’s Home Depot Canada that appears to have mistakenly emailed an undetermined number of existing customers the data purchase and confirmation info of hundreds of other Canadian customers by mistake.

The breach first popped up on Twitter on Wednesday morning (Oct 28) in a tweet from a customer in Ontario who said he received an email with customer purchase information and confirmation data for hundreds of other Home Depot customers in Canada.

“Hey um… I’m pretty sure I received a reminder email for literally every online order that is currently ready for pick up at literally every Home Depot store in Canada. There are 660+ emails. Something has gone wrong,” the customer tweeted.

It appears the personal order data was emailed to more than 500 other Canadian customers through an undetermined internal error.

“We don’t really know how it happened but it sounds like possibly an internal error. If one of those emails landed in the hands of an attacker, it’s like early Christmas for them. Any attacker would otherwise have to pay big money for real-time data on actual orders,” said Chloé Messdaghi, VP of Strategy, Point3 Security.

Chloe Messdaghi, VP Point3 Strategy — *Chloé Messdaghi*

“After this event, any attacker with that information on orders in process or ready can just call or send a look-alike email and say “Sorry about this data breach, let us offer you this $50 gift card – please click here to receive it.” And then, a smart attacker would send a follow-up email or a text to each consumer whose data was leaked, saying “we’re sorry – please check your email, we’ve just sent you a gift card as a valuable customer. You can also access your gift card by clicking here.” Or they could pretend to call from HD Customer Service to collect the complete credit card information,” Messdaghi warned.

Customer concern growing

Other customers were also quick to respond with concerns on Twitter:

“This is a VERY serious data breach that has affected at least 900 consumers, not just in-store pick-up. My ONLINE ORDER was sent to 300 people, and I received the ONLINE ORDERS of 43 others. Names, home addresses, order info and credit card info was all shared 🙁 @HomeDepot” customer Bethany F tweeted from London, Ontario.

“Hey there. I too received confirmation of several people’s order. And about 300 for my order and address etc SO NOT ACCEPTABLE” tweeted customer Sharon D, a Vancouver, BC mortgage consultant.

customer concerns about Home Depot Canada data breach

Experts view of the data breach

Dr Mounir Hahad Juniper Threat Labs — *Dr Mounir Hahad*

“We often think of data breaches as the consequence of a threat actor infiltrating a network and gaining access to a sensitive data set. But, according to Verizon DBIR, human error is the third leading cause of data breaches when either policies are set wrong or data is sent to the wrong people. Fortunately, the harm that can come from this kind of data breach is limited and nowhere near what a threat actor can do with the same information,” says Dr Mounir Hahad, Head of Juniper Threat Labs.

Customers are not happy and understandably concerned about their personal data going out to hundreds of strangers.

Home Depot Canada response

Saryu Nayyar, CEO of Gurucul calls the data highly unusual. “The breach seems to be the result of an internal system error rather than an external attack. Still, releasing home and email addresses and recent order confirmations could be gold for a malicious actor. Personal information like that can be leveraged into a convincing phishing email, which could lead to the affected customers becoming victims.”

Saryu Nayyar CEO Gurucul — *Saryu Nayyar*

“While this appears to be a misconfiguration, there are tools available that can identify misconfigured systems and recognize unusual behavior to keep data breaches like this one from happening,” says Nayyar.

Home Depot has responded minimally on Twitter, offering no detailed explanation and probably not wanting to raise the profile of the incident more. But the company appears to have made outreach calls to customers offering coupons and trying to reassure them.

“We have a dedicated team phoning all our affected customers to offer our apologies and an explanation. We intend to be completing those calls today. We understand that this is frustrating to everyone, and we appreciate their patience while we worked through this system error,” Home Depot Canada advised on Twitter.

“I rec’d a call say oops sorry, we’re sending you a $25 g/c and don’t worry we fixed problem. BUT almost 300 ppl now have my billing info, home address etc. Oops isn’t good enough. Privacy/data breach!!” customer Sharon D later posted.

customers respond to Home Depot Canada data breach

“Home Depot really needs to get in front of this immediately to beat attackers to the punch. They need to let their consumers know what to do next – and to be especially aware that bad actors may be calling, emailing, or texting, displaying the last few digits of their card and recent orders, and asking these consumers to click through to links that will extract valuable information from them, drop ransomware or other malware, or do other damage,” Messdaghi says.

“They should alert customers on how to look up details of incoming emails from Home Depot to verify the emails are authentic and not from an attacker. And they should also let customers know immediately that they may receive phone calls, texts, or emails that say they’re from Home Depot, but please be assured we will not be calling or texting, and please verify all incoming emails by checking details,” she adds.

“People don’t know about phishing and we as security professionals need to let them know about it because their information is now out there, out of their control. Home Depot needs to fully take ownership that this situation happened, and be realistic with these customers – educate them and let them know what this can lead to. Holding back this information and saying “here, have a coupon” is ill serving them. Once a breach or leak such as this happens, their data is out there. Be honest with customers and let them know what to do to protect themselves,” advises Messdaghi.

Meanwhile, Home Depot claims to be ahead of the problem, tweeting: “This systems error has been fixed and impacts a very small number of customers who had placed orders on our Canadian http://Homedepot.ca website. If you haven’t already, please send us a DM so that we can help you.”

Home Depot Canada responds to data breach

With the approach of the busy holiday shopping season and the expected big increase in online shopping, merchants and sellers need to be vigilant about their security and their contingency plans if a major hack or data breach occurs. The Home Depot Canada data breach is just another important cybersecurity warning for all businesses.