Eh sorry! Home Depot Canada is red-faced after sending out hundreds of order-pickup notifications to the wrong people.
"Hey um... I'm pretty sure I received a reminder email for literally every online order that is currently ready for pick up at literally every Home Depot store in Canada," tweeted Spencer Monckton, a graduate student in Toronto, yesterday (Oct. 28). "There are 660+ emails. Something has gone wrong." (This story was first reported by Bleeping Computer.)
@HomeDepotCanada Hey um... I'm pretty sure I received a reminder email for literally every online order that is currently ready for pick up at literally every Home Depot store in Canada. There are 660+ emails. Something has gone wrong. pic.twitter.com/mBcO40Ge3oOctober 28, 2020
- What to do after a data breach: A step-by-step guide
- The best identity-theft protection services
- New: iPhone 13 Flip leak just revealed Apple's secret weapon
"This is a VERY serious data breach that has affected at least 900 consumers, not just in-store pick-up," tweeted Bethany Frances of the London, Ontario area. "My ONLINE ORDER was sent to 300 people, and I received the ONLINE ORDERS of 43 others. Names, home addresses, order info and credit card info was all shared :("
This is a VERY serious data breach that has affected at least 900 consumers, not just in-store pick-up. My ONLINE ORDER was sent to 300 people, and I received the ONLINE ORDERS of 43 others. Names, home addresses, order info and credit card info was all shared :( @HomeDepotOctober 28, 2020
That's all accurate, except for the bit about the credit-card information -- only the last four digits of card numbers were included in the emails, according to Bleeping Computer. Many of the emails contained the address of the Home Depot store where the order was to be picked up, but some had the customer's home address as well.
Affected Home Depot Canada customers are not facing much extra risk as a result of these emails. Crooks can't do much with only four credit-card digits. It's possible, but unlikely, that some of the recipients of this email flood might forward them to spammers who could harvest the email addresses.
Still, this is pretty embarrassing for Home Depot, and its Canadian division quickly created a boilerplate explanation, if not quite an apology, for everyone who tweeted at it complaining of the email messages.
"Thank you for reaching out to us. We are aware of what occurred this morning and can confirm that this issue has now been fixed," multiple identical Home Depot Canada tweet replies said. "This issue impacted a very small number of our customers who had in-store pick-up orders. Please DM us with any additional questions."