Home Depot on April 8 confirmed to SC Media that a third-party software-as-a-service (SaaS) vendor had made public some employee data and that they had, in effect, been breached.
"A third-party SaaS vendor inadvertently made public a small sample of Home Depot associates' names, work email addresses, and user IDs during testing of their systems," said a Home Depot spokesperson.
A report in BleepingComputer said while the leaked data was not sensitive and only included the corporate IDs, names, and email addresses of the Home Depot associates, threat actors could use the data to conduct targeted phishing attacks on the employees.
The news followed a report on April 4 in which the threat actor IntelBroker said it leaked the data of about 10,000 employees on a hacking forum. IntelBroker is best known for breaching DC Health Link last year, the group that manages the healthcare plans of U.S. House members and their staffs.
The Home Depot data breach highlights the importance of companies implementing third-party risk management, said Craig Harber, chief evangelist at Open Systems. Harber said companies must implement consistent security standards across their entire business ecosystem to help mitigate cyberattacks originating through partner and supplier systems.
“Third-party partners are critical to most modern businesses,” said Harber. “In this particular instance, a third-party SaaS vendor was testing their system and accidentally leaked the personally identifiable information of 10,000 employees. Most likely, hackers will use this data to conduct targeted phishing campaigns to gather corporate credentials to launch a ransomware attack on Home Depot's corporate network.”
Misconfigurations are a magnet for hackers, who now use AI to find and exploit vulnerabilities with incredible efficiency, said Mika Aalto, co-founder and CEO at Hoxhunt. Aalto said It’s vital for the good guys to use emerging technical capabilities, as well to automatically find and patch the cracks in our defenses before the bad guys do.
“To prevent the types of third-party errors in this case, it’s essential for security professionals to implement rigorous vetting processes for all SaaS providers,” said Aalto. “This includes regular security audits, adherence to compliance standards, and ensuring that any shared data is encrypted and handled with the utmost care.”
Jason Keirstead, vice president of collective threat defense at Cyware, added that the Home Depot breach underscores a critical issue for the cybersecurity community: the importance of supply chain security and a program that allows for collective defense.
“In interconnected digital ecosystems, an organization's security is only as strong as the weakest link in its supply chain,” said Keirstead. “Enterprises need comprehensive intelligence feeds, and even more important, strategic, automated operationalization of that intelligence. Effective cybersecurity defense involves not just gathering information, but actively integrating it into a proactive security posture. Intelligence must inform real-time decision-making and defense strategies, allowing organizations to anticipate threats and mitigate risks before they manifest.”
