Home Depot has been storing mountains of customer data on a publicly accessible, unencrypted page, leaving many of them vulnerable to scams and identity theft, according to Consumerist. Worse yet, some of the files found on the page were even discoverable by search engines, making them even easier to find.
It is not uncommon to discover that a large corporate entity or organization is running a website with poor security, or even leaving customer information accessible to hackers. Home Depot’s latest debacle, might not affect a large number of people but it is still pretty egregious and shows there is a myriad of ways large companies can have weak security.
As many as 8,000 customers’ details were available in a publicly accessible Excel document, alongside many images of customers themselves and their products. Discovered by a concerned tipster and forwarded to Consumerist, the leak does not contain any financial information but there is still a lot of personal data up for grabs for anyone with an inquisitive mind.
The security flaw seems to stem from Home Depot’s MyInstall program, a service which helps customers communicate with installers. The recorded data is all related to complaints to do with the service, including logged names and addresses, the nature of the complaint and in some cases photos of the problem and the customers’ buying the product in question.
Home Depot’s response to a request for comment saw it remove the data immediately and claim that although it did not see the data as a high risk, it should not have been available as it was.
Although it is arguable that the data in this leak is not of the most sensitive type, it could easily be used as the foundation for a phishing scam. Likewise, social engineering becomes far easier with this sort of information.
As it stands, we do not know why this information was as publicly available as it was, but it is possible that it was the error of an employee at Home Depot, or possibly even someone acting maliciously. It may even be something as simple as Home Depot not investing in a robust software solution for its MyInstall program.
Home Depot says it has no plans to contact affected consumers, lest that invite a phishing scam, it is urging anyone that thinks they may be affected to contact its customer service number.
The concern now is that Home Depot is unlikely to be the only company operating companion services like this with lackluster security. Although far from the fault of consumers, security breaches like this go to show why you need to take your own security very seriously. Making sure you are not using weak passwords is an important first step.
This is not the first time Home Depot has been found with less-than-ideal digital security. It recently paid more than $20 million to settle a leak in 2014, which saw hackers steal the payment and personal information of millions of its customers.
