Home Depot left customers' unprotected personal data online
No financial data was accessible, but even names, emails and addresses can be exploited by scammers.
It's been awhile since hackers broke into Home Depot's servers and stole 56 million customers' credit card information back in 2014. But recently, a tipster pointed business watchdog site Consumerist to a web address under the HomeDepot.com domain. The unprotected page stored photos of various home improvement projects...and 13 Excel spreadsheets filled with customer data. All told, it had names, phone numbers, and physical and email addresses for up to 8,000 people. And all those files sat there unprotected, unencrypted and discoverable by search engines for an unknown period of time.
Home Depot has since removed the files from the site, according to Consumerist. The spreadsheets didn't contain credit card data, bank account information or Social Security numbers -- all of which are legally protected, and land whomever exposed it in legal hot water. In other words, leaving this non-financial/non-SS personal information accessible on the internet (however indirectly) isn't necessarily illegal.
It is, however, terrible for an exposed user's privacy -- and could potentially leave them open to future scamming. Names, phone numbers and physical and email addresses are all details that could be used in a phishing attempt to pretend familiarity while asking for more crucial information.
The personal data left online were all complaints logged for Home Depot's MyInstall program, which the company offers to help customers communicate with contractor installers. It included product types, installation services and the name of the person servicing the complaint -- yet more details that could have further helped scammers pretending to contact customers on an official basis.
To be clear, this wasn't a breach of security, just an unfortunate patch of customer data erroneously left open to the public.
"The information was out there, and as hard as it would have been for anyone to find, it shouldn't have been. This was an inadvertent human error that we addressed as soon as we discovered it. Although the data was low-risk, we take the matter very seriously," a Home Depot spokesperson told Engadget over email.
Unfortunately, even though the data wasn't released as the result of a deliberate hack, it was still available for an unknown period of time. We won't know the ramifications of this mistake unless someone attempts to take advantage of any of Home Depot's 8,000 unlucky customers affected.
