A spreadsheet including about 8,000 Home Depot customers’ transaction details and personal information was briefly posted on a Home Depot website for an unknown length of time, according to The Atlanta Journal-Constitution (AJC).
Although financial data was not included in the information, this comes a few years after the big-box retailer’s record 2014 data breach, which has cost the company nearly $200 million total and affected 56 million customers, according to a March 12 Hardware Retailing article.
“This recent cache of customer data that was exposed on HomeDepot.com is of a different type and scale than what was harvested during Home Depot’s breach of 2014,” according to the Consumerist, a part of the Consumer Reports organization. “While the spreadsheets contained no credit card data, bank account information or Social Security numbers—which are considered legally protected data—the level of transaction detail was extensive.”
The AJC article reports that Home Depot’s spokesman Stephen Holmes says the information was taken down as soon as it was discovered. Holmes says the customer information was “posted online through a combination of a technical glitch and human error.”
The lists were hosted under the Home Depot web domain, which means they were accessible to the public. However, the information could only be found by someone who knew where to look for them, according to the AJC article.
While Holmes says there was “no indication thus far that anyone retrieved and misused the information,” data leaks like this can still lead to customer scams, like “‘pretexting,’ where a scammer convinces his or her target of a pre-existing relationship in order to get access to more more valuable information,” Brian Krebs, a cybersecurity expert of KrebsOnSecurity.com told the Consumerist. “Just a little bit of information about a person can demonstrate that you already have a relationship with that person as a service provider or company,” Krebs says.