Home Depot website exposed personal data: Consumer ReportsReprints
Consumer Reports said Thursday it found personal data from about 8,000 individuals that was unprotected on Home Depot Inc.’s website, although it has now been removed.
Yonkers, New York-based Consumer Reports, a nonprofit independent organization that researches and publishes product ratings and reviews, said in an article released Thursday that, based on an anonymous tip, it found a site that hosted Excel spreadsheets of customer records, including full names, phone numbers, mailing addresses and email addresses of about 8,000 people, as well as other information chronicling the apparent installation complaints of each customer of the Atlanta-based retailer.
It said although the data has been removed, it is unclear how long it was publicly exposed.
Consumer Reports said the internet address that hosted these spreadsheets — along with one random document containing a scanned printout of a customer’s name, address and signature — was part of the HomeDepot.com domain.
It said all the files there were unencrypted, unprotected, discoverable by search engines and “completely accessible to the open Internet.”
“The data leak was small by comparison to many high-profile security incidents of the past few years, but it offers a view into what may well be a vast class of personal information that is offered virtually no legal protection by the various state laws that largely define what is, and is not, a data breach,” said Consumer Reports in the article.
Home Depot said in an emailed statement: "The information was out there, and as hard as it would have been for anyone to find, it shouldn't have been. This was an inadvertent human error that we addressed as soon as we discovered it. Although the data was low-risk, we take the matter very seriously."
Home Depot reached a $25 million settlement with financial institutions connection with its massive 2014 data breach earlier this year.