Home Depot, the renowned home improvement retailer operating across the United States, Canada, and Mexico, has revealed a concerning data breach affecting a subset of its employees’ personal information. The breach, attributed to a third-party Software-as-a-Service (SaaS) vendor, came to light after a leak exposed the personal data of approximately 10,000 Home Depot employees.
The incident, which unfolded on April 4, garnered attention when threat actor IntelBroker claimed responsibility on the darknet forum BreachForums, known for previous high-profile breaches. Home Depot acknowledged the breach, confirming the exposure of employees’ names, work email addresses, and User IDs.
In a statement to the media, a Home Depot spokesperson addressed the breach, attributing it to the inadvertent exposure during the SaaS vendor’s system testing. The disclosed information, while limited, raises concerns about potential phishing attacks targeting employees, underscoring the risks associated with data breaches.
The retail giant emphasized the importance of stringent security controls for handling personal data, particularly during software testing phases. However, Home Depot has not disclosed the identity of the responsible vendor or the exact number of affected individuals.
This breach highlights the broader issue of third-party cybersecurity, emphasizing the need for rigorous vetting of external suppliers’ security measures. According to reports, 98% of organizations have ties to breached vendors, with third-party breaches comprising a significant portion of cyber incidents.
This is not the first time Home Depot has faced such a security breach. In 2014, the company experienced a similar incident resulting in the compromise of over 50 million customer email addresses and payment card information. The fallout from that breach included substantial financial settlements and a commitment to bolster cybersecurity measures.