A leak on hacking forums has led Home Depot to confirm that its employee data was compromised via a third-party software vendor.
Home Depot did not identify the breached software-as-a-service (SaaS) vendor, but said an error exposed the names, company IDs and email addresses of a “small sample” of its employees, according to reports. Now on sale on the Dark Web, this is the type of data that could be used to fuel targeted phishing cyberattacks.
The incident highlights how selecting SaaS vendors with strong cybersecurity protections is critical for businesses, according to Tamir Passi, director of product at DoControl.
Cyber risk in the software supply chain
Passi recommends testing a third-party vendor’s workflow before giving them access to your data.
“Ideally, real employee data should not be used to test a new vendor’s workflow,” Passi explained in a statement. “In general, system testing and validation should be performed with non-production data sets, unless all the same security and privacy protocols needed for production and testing are in place.”
Passi warned that once data is handed over to a partner, it is too late to do anything about its security.
In addition to due diligence and vetting before selecting a SaaS vendor, Mika Alto, co-founder and CEO of Hoxhunt, recommends regular audits.
“The threat landscape is constantly evolving, so ongoing training on security best practices is vital,” Alto said in a statement. “Employees and security professionals at all levels should be equipped to recognize and respond to potential threats, including those that may arise from third-party sources.”
A decade ago Home Depot suffered a much larger data breach where customer credit card information related to purchases at stores in the United States and Canada was compromised.