Recently, Consumerist received an anonymous tip pointing to an internet address that hosted digital images of bathtubs, garage doors, kitchen countertops, contractors at work on various projects, and customers picking out and paying for products in a home-center store. The site also hosted 13 Excel spreadsheets of customer records, including the full names, phone numbers, mailing addresses and email addresses of approximately 8,000 people, as well as other information chronicling the apparent installation complaints of each customer.
The internet address that hosted these spreadsheets — along with one random document containing a scanned printout of a customer’s name, address, and signature — was part of the HomeDepot.com domain; and all the files there were unencrypted, unprotected, discoverable by search engines (several of the email addresses listed, when typed into a Google search, surfaced the documents), and completely accessible to the open internet.
This data leak was small by comparison to many high-profile security incidents of the past few years, but it offers a view into what may well be a vast class of personal information that is offered virtually no legal protection by the various state laws that largely define what is, and is not, a data breach.
While the spreadsheets contained no credit card data, bank account information, or Social Security numbers — which are considered legally protected data — the level of transaction detail was extensive.
Each entry contained a record of a complaint logged with Home Depot’s MyInstall program, a service the home-improvement retailer offers customers to help them communicate and coordinate with its network of installers. The records in the spreadsheet included the type of product or installation service each customer had an issue with (carpet, garage doors, countertops, etc.), the reason for the complaint (“defective merchandise,” “leaks,” “incorrect placement”) as well as the name of the “care agent” who had presumably serviced the complaint.
It’s unclear how long the data had been publicly exposed, but the files have since been removed from Home Depot’s site. When reached for comment, Home Depot responded in an e-mailed statement: “The information was out there, and as hard as it would have been for anyone to find, it shouldn’t have been [out there]. This was an inadvertent human error that we addressed as soon as we discovered it. Although the data was low-risk and not the type of information commonly used for fraud or identity theft, we take the matter very seriously.”
Home Depot has attracted scrutiny in the past when it comes to data security. In the spring of 2014, hackers used compromised vendor credentials to penetrate the company’s internal IT systems and, after exploring the company’s network, installed custom malware on 7,500 of the company’s self-checkout registers. For a period of five months, the intruders collected the personal and financial information of approximately 56 million of Home Depot’s customers.
This recent cache of customer data that was exposed on HomeDepot.com is of a different type and scale than what was harvested during Home Depot’s breach of 2014. But the appearance (and disappearance) of these files on HomeDepot.com raises a variety of questions that go way beyond the circumstances of this one incident. For instance: How frequently does this sort of thing happen? Do companies have any obligation to tell consumers if their data is exposed this way? And perhaps most important for the people whose names and information was listed in these documents: Just how potentially damaging could this data be if it fell into the wrong hands?
An Invitation to Imposters
Viewed one way, some of the customer information in the spreadsheets found on HomeDepot.com could be listed in an ordinary phone book. But when combined with the context of transaction information, the data could prove highly valuable to a motivated scammer.
Brian Krebs, a cybersecurity expert who runs the influential site KrebsOnSecurity.com, says that data such as names and addresses, as well as customer service details could be useful for “pretexting,” where a scammer convinces his or her target of a pre-existing relationship in order to get access to more valuable information. (Pretexting is also known by a number of other names, such as “spear phishing,” or “imposter scams.”)
“Just a little bit of information about a person can demonstrate that you already have a relationship with that person as a service provider or company the target has done business with previously,” he explains. Krebs was the one who broke the story of Home Depot’s breach in 2014, as well as Target’s massive data breach in 2013, in which hackers stole the credit or debit card data for approximately 40 million people.
Hackers routinely use Google searches to find unsecure documents with customer data or company secrets. A clever scammer who got hold of spreadsheets like the ones that were hosted on HomeDepot.com could call the listed customers, pretending to be from Home Depot by using the transaction details in the document as a “pretext” for obtaining more valuable info, such as account credentials, bank account numbers, or social security numbers.
In addition to being used by scammers directly, personal data is also bought, sold, and traded. The more detailed the information, the more useful (and thus valuable) it is to the scammer.
“A lot of information or partial information can be traded on the black market and on dark web sites,” says Nat Wood, associate director of the Bureau of Consumer Protection’s Division of Consumer and Business Education at the Federal Trade Commission (FTC), referring to the parts of the web that are hidden from search engines and cloaked in encryption.
Wood works to educate consumers and businesses on security best practices and was only asked general questions about pretexting, imposter scams, and phishing and is not commenting specifically on Home Depot. He notes that less-sensitive personal information can be combined with data obtained through illegal means.
“Sometimes the scammers have part of your Social Security number, or they know a lot about you,” says Wood. “They know where you live and your name and some of your relations. They either know, or can guess, an account that you have, and they sound very legitimate.”
Wood says imposter scams are a growing area of concern for the FTC and are not at all uncommon.
“There are a lot of people placing phone calls who are lying about who they are to get information, or get money,” says Wood. “It’s wise to have some skepticism and to check things out.” The FTC gets so many complaints to both the agency and its partners that Wood characterizes it as an “epidemic of imposters.”
How Customer Data Leaks
According to experts we spoke with, there are a variety of ways this sort of customer data could become exposed on a company’s website. It could be either a deliberate action or an unfortunate mistake by an employee or vendor with the ability to upload data to the company’s public-facing website; or it could be the result of a lack of investment in systems and tools designed to secure and transmit data.
“Sometimes it’s not even intentional,” says Jeremy Koppen, principal consultant with Mandiant, a division of the cybersecurity firm FireEye, a company that helps companies clear their servers of malware and plug security holes after data breaches — known in the industry as “incident response.”
According to Koppen, who was not briefed on the specifics of the Home Depot situation, internal data sometimes ends up on external sites because of incorrectly configured systems, or possibly from employees who don’t realize that they are leaving this information out there for the taking.
“I think a lot of it comes down to asset management, and making sure you’re aware of all the systems and where they are in the environment,” he explains, adding that Mandiant has worked with businesses that have strict policies but are still falling short when it comes to ensuring that staffers actually follow the organization’s guidelines.
When we described the files that were present on Home Depot’s site to experts at the Cyber Independent Testing Lab (CITL), a partner of Consumer Reports in a new initiative to develop a privacy standard for the Internet of Things and other digital products and services, they saw it as part of a deeper issue.
“An organization of this size should be expected to train their employees better on how to handle personally identifying information,” said Sarah Zatko, chief scientist at CITL, “Having support issues logged in an Excel file is surprising for this large a company, let alone on a publicly facing system.”
A Regulatory Vacuum
It’s nearly impossible to tell how widespread this sort of data leakage could be beyond the Home Depot case, since the state laws that largely define when and how companies need to notify customers when their data is exposed don’t generally cover personal information if it’s not tied to a financial account or medical record. “Email addresses are mentioned in some breach notification laws, but only when breached in combination with a password,” says Pam Greenberg of the National Conference of State Legislatures (NCSL).
The NCSL advocates on behalf of state lawmakers, and also acts as a central clearinghouse for information on state laws, and its site lists a variety of internet privacy legislation protecting everything from records of e-book rentals and purchases to Social Security numbers to the browsing information of customers of internet service providers. But Greenberg wasn’t aware of any state laws that require businesses to encrypt customer transaction records that don’t include financial data, or to notify their customers if such information was accessed by an unauthorized outside user when not in combination with a breached password.
Two bills introduced in Congress in 2011 and 2014 would have expanded the type of consumer data leaks that would trigger a breach notification, but neither gathered enough support to become law. In 2015, legislation introduced by Sen. Patrick Leahy (D-Vt.) sought to add consumer protections for a few new categories of sensitive personal data — including unique biometric data, like fingerprints; physical and mental health information; geolocation data; and private digital photographs and videos.
Sen. Leahy remains hopeful that a solution can be found, and told us in an emailed statement that there is “some bipartisan support for consumer privacy.”
“Though security concerns and fast-evolving technologies have complicated the debate, Americans still value their privacy,” Leahy said. In Consumer Reports’ Consumer Voices survey published earlier this year, 65 percent of Americans told us they are either slightly or not at all confident that their personal data is private and not distributed without their knowledge.
Protect Yourself
Home Depot says that it has no plans to proactively contact MyInstall customers whose information was exposed through these documents. A company representative cited a concern that a promise to reach out to consumers might itself invite phishing scams.
The company did say that customers who wanted to check to see if their information was in these spreadsheets could do so at Home Depot’s main customer service line: 800-466-3337.
Even if you’ve never been a Home Depot MyInstall customer, there are some things you can do to see if your data has been exposed elsewhere. One place to start is by trying a few targeted Google searches. Google’s web crawlers have the ability to index public-facing files stored on company websites — that includes PDFs and some Excel and Word documents.
If you want to try to search for any exposed files that may have your name or email address, you can use special search operators to limit your search to certain file formats. Try including “filetype:pdf”, “filetype:doc”, or “filetype:xls” along with your name in your Google searches. MIT’s library has a guide to using search operators that you may find useful.
If you find something that looks off, you can report it to the FTC at ftc.gov/complaint. You should also contact any company that seems to be hosting your data inappropriately, and ask that it be taken down.
Most importantly, consumers should always stay alert for pretexting scams. Because companies don’t have a legal obligation to report these sorts of data leaks, you may never know if this type of information about you has been exposed. And as we’ve seen, it can be disconcerting, but not illegal, for companies to collect and host your “public” personal information on the internet.
If you get a call from someone — even if they seem to know information that only a company you’ve done business with should know — don’t just take them at their word. And if someone is trying to pressure you with a scary story, don’t panic. Instead, raise an eyebrow. Creating a sense of urgency is a tactic imposter scammers use to keep you from having enough time to put two and two together, according to Nat Wood of the FTC.
“Scammers are really ingenious, and they try to rush you,” says Wood. “They try to give you a sense of urgency. They try to make you afraid that some kind of terrible threat is going to happen… They try very hard to have you not think, ‘Wait a minute, is this real?’; ‘What do I know about this person?’; ‘Is there a way for me to verify it?’ Because if you have that thought, and check it out, they’re not likely to succeed.”
Also, if you suspect you have been targeted by a scammer, you should report it to the FTC.
“Those complaints are made available to hundreds of law enforcement agencies through the Consumer Sentinel Network. You don’t have to have lost money,” Wood explains. “We really appreciate it when people take the time to let us know they’ve seen fraud out in the world, whether they’ve fallen for it or not. It makes a difference.”