Hand typing on keyboard showing third party data breach

A Home Depot Third-Party Data Breach Leaks the Personal Information of 10,000 Employees

Home Depot has disclosed a third-party data breach after a SaaS vendor leaked a subset of employee data exposing their personal information.

Home Depot is a home improvement retailer with over 2,300 stores in the United States, Canada, and Mexico. It employs about 465,000 people and earned a net income of $15.1 billion during the 2023 fiscal year.

The incident surfaced on April 4 when the renowned threat actor IntelBroker claimed on the darknet hacking forum BreachForums that they stole data belonging to 10,000 employees.

“In April 2024, Home Depot suffered a data breach that exposed the corporate information belonging to 10K employees of the company,” IntelBroker posted.

The threat actor gained infamy outside the dark web circles after breaching DC Health Link and exposing the personal information of U.S. House members, their families, and staff and triggering a congressional inquiry.

Home Depot confirms third-party data breach

A Home Depot spokesperson has confirmed that the Atlanta, Georgia-based company suffered a data breach exposing employee information.

“A third-party Software-as-a-Service (SaaS) vendor inadvertently made public a small sample of Home Depot associates’ names, work email addresses, and User IDs during testing of their systems,” Home Depot told news outlets.

Ideally, companies should not use live personal data for software testing unless production-grade security controls are in place to avoid inadvertent disclosure.

While the third-party data breach exposed limited personal details, the information included work email addresses, which could potentially be used in targeted phishing attacks, resulting in serious data breaches, including ransomware attacks.

Subsequently, Home Depot employees should remain vigilant for unsolicited emails purporting to originate from the company and confirm any emailed instructions to avoid becoming victims of cyberattacks and fraud.

Home Depot has not disclosed the identity of the vendor responsible for the third-party data breach or the official number of impacted individuals. It also remains unclear if the home improvement retailer or the external vendor has notified the impacted individuals that their personal information was involved in a third-party data breach.

Importance of third-party cybersecurity

The Home Depot third-party data breach demonstrates that security extends beyond the company’s perimeter and underscores the importance of vetting external suppliers’ cybersecurity practices.

According to the Global Third-Party Cybersecurity Breach Report by the IT risk management firm SecurityScorecard, 98% of organizations are affiliated with a breached vendor.

The report also found that third-party breaches account for 29% of all cyber incidents, with software and tech products responsible for 75% of all third-party breaches.

This is hardly the first time that a trusted vendor has exposed the home improvement retail giant to a cyber attack.

In 2014, Home Depot suffered a third-party data breach when attackers used a vendor’s login credentials to breach the company’s network and install custom malware to harvest payment card information and email addresses of over 50 million individuals.

Subsequently, the retail chain agreed to compensate residents of 46 states and District of Columbia over $17.5 million to settle related lawsuits. The company also expected to spend over $179 million in the subsequent cleanup.

It also promised to review its data security practices, employ a competent chief information security officer, and train key personnel on information security.

Although Home Depot refused to admit liability, it faced criticism for failing to promptly disclose the incident, until cybersecurity journalist Brian Krebs publicized the breach.