Report: Home Depot Canada error exposes data of hundreds of customers

Home Depot Canada has confirmed it accidentally sent emails containing private customer information to the wrong recipients.

According to ThreatPost, the Canadian banner of the home improvement giant mis-sent hundreds of order confirmations including customer names, delivery and email addresses, order details, and partial credit card data. In response to complaints posted by customers on Twitter, the company tweeted an admission of the mistake in two separate tweets on the official @HomeDepotCanada account Wednesday, Oct. 28.

The first tweet acknowledged the issue affected a “very small” number of customers who had in-store pickup orders. Several hours later, a second tweet from the company confirmed that a “very small” number of customers who placed orders on Home Depot’s Canadian website were also affected by what it termed a “systems error.” Both tweets indicated the problem had been resolved and invited anyone with additional questions to send the company a direct message on Twitter.

However, one tweet from a woman claiming to be an affected customer stated at least 900 in-store and online consumers were impacted. She said her online order was sent to 300 people and she received online order confirmation emails meant for 43 other customers, including names, home addresses, order information and credit card information.

In a statement to ThreatPost, Home Depot Canada said, “Tuesday evening, we discovered a systems error on select http://Homedepot.ca orders impacting a small number of our Canadian customers. Some customers may have received multiple emails for orders they did not place. This issue has been fixed. None of the emails contained passwords or un-hashed payment card information.”

The U.S. Home Depot parent company was victimized by a major data breach in 2014, which may have compromised more than 56 million customer credit cards and cost the company an estimated $62 million in investigative and remedial efforts, partially offset by $27 million it expected to be reimbursed by insurance.

One security expert told Chain Store Age this security lapse could have serious ramifications for customers.

“After this event, any attacker with that information on orders in process or ready can just call or send a look-alike email and say “Sorry about this data breach, let us offer you this $50 gift card – please click here to receive it,” said Chloe Messdaghi, VP of Strategy, Point3 Security. “Home Depot really needs to let their consumers know to be especially aware that bad actors may be calling, emailing or texting, displaying the last few digits of their card and recent orders, and asking these consumers to click through to links that will extract valuable information from them, drop ransomware or other malware, or do other damage.”

Mounir Hahad, head of Juniper Threat Labs, said this type of security incident is more common than people realize and took a softer view on its potential impact to consumers.

“We often think of data breaches as the consequence of a threat actor infiltrating a network and gaining access to a sensitive data set,” said Hahad. “But, according to Verizon DBIR, human error is the third leading cause of data breaches when either policies are set wrong or data is sent to the wrong people. Fortunately, the harm that can come from this kind of data breach is limited and nowhere near what a threat actor can do with the same information.”