fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Home Depot Blunder Emails Customer Order Info To Strangers

Home Depot Blunder Emails Customer Order Info To Strangers

Today multiple reports have emerged from Home Depot customers in Canada stating that the company had sent them hundreds of emails containing order information of strangers.

Multiple users received upwards of 600 “order ready for pickup” reminder emails, each pertaining to a different order.

What alarmed hundreds of users was the orders were not associated with their Home Depot accounts.

BleepingComputer has obtained copies of these emails that divulge information such as the customer’s name, order number, ordered items, and partial payment card information.

Mailboxes flooded with random order pickup notifications

A Home Depot Canada customer, Spencer K. Monckton tweeted to the company today:

“Hey um… I’m pretty sure I received a reminder email for literally every online order that is currently ready for pick up at literally every Home Depot store in Canada. There are 660+ emails. Something has gone wrong.”

home depot canada leaked emails
Home Depot Canada floods customers’ inboxes with hundreds of order information emails unrelated to their accounts
Source: Twitter

The order numbers and the information contained within these emails had no relation to Monckton’s account.

Also Read: Advisory Guidelines on Key Concepts in the PDPA: 23 Characters

Eventually, more reports surfaced over Twitter showing screenshots and videos of users’ flooded mailboxes due to what appeared to be an email system snafu.

The emails obtained by BleepingComputer reveal information such as the customer’s name, order number (with QR code), pick-up store address, items in the order, the payment amount, and last 4 digits of payment card number.

home depot email leaks customer number and order number
Home Depot emails leak customer name and order number (with QR Code)
Source: BleepingComputer

Monckton further told BleepingComputer he had received 467 emails in total between 2:32 AM and 3:29 AM EDT.

All emails related to online orders placed between October 24th and 25th, submitted for in-store pick ups. The first available pick-up day on these was Monday (October 26th).

The customers having failed to pick up the orders generated these reminder emails.

“One of the emails I got was for my own order (the first one, incidentally), but the other 466 were intended for people all across Canada, in both official languages,” he said.

“In the ‘To:’ line of each email, there were numerous other email addresses listed – up to a maximum of 544. Interestingly, the first email I got included only 83 email addresses, then the next one 84, then 85, then 86, etc. So it seems like the system worked through all the reminders scheduled to be sent, appending each new customer email to a growing list as it went. Hard to say how many customers were likely to be impacted, but you can see from @bethanyfrances’ tweet that it wasn’t just reminder emails,” Monckton told BleepingComputer.

Also Read: Contract for Service Template: 5 Important Sections

home depot email leaks credit card number last 4 digits
Pick up order emails expose last 4 digits of payment card number
Source: BleepingComputer

Monckton called this quite a “blunder” as in some cases it may be possible for the email recipients to pick up strangers’ orders as Home Depot staff may not always ask for identification, according to him.

“In some cases it’s possible to match up the first name with an email address from the to line. In theory it’s possible to pick up these people’s orders using the order number/QR code, since Home Depot doesn’t always check ID for customers when they show up for curbside pick-up. Quite a blunder!”

Reply-All and “CC” adds even more noise

To add more misery to an already terrifying situation, the order emails had several customers CC’d on them. 

This means any customer using the “Reply All” button would be responding not only to Home Depot Canada but all the customers who had received the order information in error.

“This morning I woke up to hundreds of emails from @HomeDepotCanada about picking up orders… Must have some sort of system error. While I thought that was annoying I’ve realised what is worse is all the people now “replying all” panicking about their orders,” tweeted Lauren Birch along with a video of their flooded mailbox.

When asked about the incident, Paul Berto, director, corporate communications at The Home Depot Canada told BleepingComputer:

“Tuesday evening, we discovered a systems error on select Homedepot.ca orders impacting a small number of our Canadian customers. Some customers may have received multiple emails for orders they did not place.”

“This issue has been fixed. None of the emails contained passwords or un-hashed payment card information. We apologize for the concern this has caused our customers, and we thank them for their patience and support as we quickly worked through this issue,” Berto told BleepingComputer.

Home Depot Canada also stepped in on Twitter threads they were tagged in, clarifying that the incident had impacted a “very small number” of customers with store pick-up orders scheduled.

Customers not convinced about “very small number”

Despite the company’s claims, several customers called out Home Depot for the “VERY serious data breach” and refuted that this had impacted only a few customers:

home depot serious breach tweet 2020
A user calls this a “VERY serious breach” impacting 900+ customers
Source: Twitter

bethanyfrances’ concern has merit to it considering the user’s private information which included partial payment card information was leaked to hundreds of strangers.

The user further said they were reporting the major data breach to Canada Privacy Commissioner and encouraged others to follow their lead.

While the incident did not expose overtly sensitive information such as complete payment card data or user passwords, it is still a serious privacy breach.

Receiving not a few—but hundreds of emails with full names, addresses, partial payment card numbers, and order info of random strangers will ring anyone’s alarm bells.

In 2014, Home Depot had experienced a data breach that compromised credit card details of 56 million users.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us