Home Depot‘s in hot water again after accidentally publishing spreadsheets with about 8,000 customers’ transaction and personal data onto their website. While no financial information was leaked — like the 2014 data breach of 56 million Home Depot customers’ information — the data did include the names, mailing addresses, email addresses and information chronicling customer complaints. The leak was anonymously reported to Consumerist last week.
One of the most alarming aspects of this leak is how simply it occurred. In what appears to be a mistake, the spreadsheets were published on a Home Depot page that was able to be searched by any common search engine, allowing anyone to access the information, and it was available online for an unspecified length of time before being removed. Home Depot took responsibility in a comment to Consumerist, saying, “The information was out there, and as hard as it would have been for anyone to find, it shouldn’t have been [out there]. This was an inadvertent human error that we addressed as soon as we discovered it. Although the data was low-risk and not the type of information commonly used for fraud or identity theft, we take the matter very seriously.”
Unfortunately for customers, the type of information released is not consistently identified by state laws as “legally protected data,” so it may be difficult to seek restitution from Home Depot for any damages that occur from the leak. Home Depot has not stated how the mistake was made or how long it took for them to remove the information, which raises questions about the frequency of these kinds of mistakes and whether companies are obligated to reveal data leaks to consumers. It took Consumerist contacting Home Depot for comment to receive any admittance of the issue, and company spokesman Stephen Holmes admitted he didn’t know when the breach even took place, saying, “That happened a while ago.” According to Access Atlanta, Holmes said the information was leaked due to a combination of human error and technical issue with the site.
KrebsOnSecurity, the cybersecurity blog that broke the story of Home Depot’s 2014 breach, Target’s 2013 breach and GameStop’s data breach earlier this year, told Consumerist that although this information isn’t usually used for identity theft, it can be used for a scam called “pretexting,” where a scammer uses personal information to convince their target they have a pre-existing relationship and use that to get more valuable information, like Social Security numbers or bank accounts.
If you’re worried that your information may have been compromised, you can contact Home Depot’s main customer service line: 800-466-3337. Spokesman Holmes said, “We have 1.5 billion transaction a year, so the chances that somebody calls at random and they are on the list are pretty small. But if a customer calls, we’ll tell him if his information was there.” According to Consumerist, Home Depot has no plans to contact the customers whose data was leaked, so if you want to know, you’ll have to call them.