In an oddly ironic endorsement of its “do it yourself” ethos, home improvement giant Lowe’s is notifying customers of a potential data compromise brought about via a third-party software vendor.
Lowe’s had hired the vendor to provide a computer platform that stores compliance documentation and information about employees. Specifically, current and former drivers of Lowe’s vehicles could be affected, as well as current and former employees who access and administer the system.
The personal data in the system, which is called E-DriverFile, includes a raft of hot information, including names, addresses, dates of birth, Social Security numbers and driver’s license numbers, sales IDs and other driving record information. In short, it’s essentially an identity fraud in-a-box kit.
"The breadth of data that was accessible about these individuals is troubling... [it] gives cyber-criminals everything they need to wreak havoc with a victim’s identity and finances,” said Paul Lipman, CEO at iSheriff, in a note to Infosecurity. “It's literally turning over the keys to the kingdom. Anyone affected by this compromise should immediately take Lowe's up on their offer of free credit monitoring, and check their current credit reports for signs of recent suspicious activity. In addition, very careful attention should be paid to banking and credit card transactions.”
The issue illustrates a classic fear when it comes to using cloud services: lack of oversight over how those cloud providers handle client data. In this case, the vendor unintentionally backed up this data to an unsecured computer server that was accessible from the internet.
"The situation with Lowe’s is a very common reason why data leakage occurs,” said Mark Stanislav, security evangelist at Duo Security, in an email. “People often post data on internet-facing servers unaware that the data could be found. Furthermore, data is sometimes posted online for temporary purposes only to be forgotten about and never removed. Unfortunately, accidental or not, these incidents certainly expose customers to a great risk for fraud.”
Lowe’s said that the vendor has blocked access to the unsecured backup server and has retained data security experts to conduct an investigation of the incident. The evidence suggests that personal information from the backup server may have been accessed during a nine-month period between July 2013 and April 2014 – though so far there have been no reported incidents of information having been misused, the company said.
Added Stanislav, “Luckily for Lowe’s customers, it appears that the number of potentially affected people might be rather low and there’s also a chance this data wasn’t discovered by anyone nefarious prior to the third-party vendor taking this data offline. Nine months is a long time for data to be on the Internet but customers can only hope it wasn’t stumbled upon in that time period.”
Nonetheless, the incident echoes concerns over data protection practices at some of the world’s largest consumer-facing organizations.
“Lowe’s data breach, coming hot on the heels of the news of eBay’s stolen customer database, demonstrates the increasingly porous nature of corporate networks,” said Lipman. “Frankly, it's irresponsible to store sensitive personal data of this nature in an unencrypted format, regardless of where it resides. All too often, organizations focus their security efforts on preventing deliberate acts of cyber-crime and invest to keep the adversary from the gate. As corporate data becomes increasingly mobile and dispersed, organizations must rapidly turn their attention to protecting against inadvertent acts that could put their business, customers and employees at risk.”
A Lowe's spokesperson contacted Infosecurity after publication of this article and maintained that although this article correctly refers to employee data, “customer” data referenced throughout was not compromised. The spokesperson issued the following clarifications:
"Lowes uses a third-party vendor to maintain compliance information and documentation about employees who are approved to drive Lowe’s company vehicles. Due to an error by this vendor, personal information about some current and former Lowe’s employees approved to drive company vehicles and certain other employees who administer and access those employee records was made potentially accessible via the Internet. This information was stored in a computer system provided by the vendor. The computer system does not contain any customer data. Once again, this system does not contain any customer information. It affects only specific former and current employees. All individuals who had sensitive data stored in the system are being separately notified of the incident and Lowe’s has also arranged to provide credit protection services for each of these individuals."