Home Depot Hammered by Supply Chain Data Breach

SaaS vendor to blame for exposing employee data that was ultimately leaked on Dark Web forum, according to the home improvement retailer.

Home Depot storefront
Source: Ian Dagnall via Alamy Stock Photo

A hacking forum leak has led Home Depot to confirm that its employee data was compromised via a third-party software vendor.

Home Depot did not identify the breached software-as-a-service (SaaS) vendor but said an error exposed the names, corporate IDs, and email addresses of a "small sample" of its employees, according to reports. Now up for sale on the Dark Web, this is the type of data that could be used to fuel targeted phishing cyberattacks.

The incident highlights how selecting SaaS vendors with strong cybersecurity protections is critical for enterprises, according to Tamir Passi, director of product with DoControl.

Software Supply Chain Cyber Risk

Passi recommends testing a third-party supplier's workflow before providing them access to your data.

"Ideally, real employee data should not be used to test a new vendor's workflow," Passi explained in a statement. "In general, system testing and validation should be done with non-production data sets unless all the necessary and same security and privacy protocols are in place for production as for testing."

Passi cautioned that once data is handed over to a partner, it's too late to do anything about its security.

In addition to due diligence and vetting prior to selecting a SaaS vendor, Mika Alto, co-founder and CEO of Hoxhunt, recommends regular audits.

"The threat landscape is always changing, so continuous training on security best practices are vital," Alto said in a statement. "Employees and security professionals at all levels should be equipped to recognize and respond to potential threats, including those that may arise from third-party sources."

A decade ago Home Depot experienced a much larger data breach where customer credit card data related to purchases at stores across the US and Canada was compromised.

About the Author

Becky Bracken, Senior Editor, Dark Reading

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights