Vendor error forces Lowe's to issue breach notification letters

Current and former employees at Lowe's are receiving warning letters in the mail

serverskulls header
Credit: Jen Anderson

In a letter to both current and former employees, Scott Purvis, Vice President of Human Resources at Lowe’s, says that personal information might have been compromised after a third-party vendor exposed it to the public.

According to the letter, the personal information of current and former drivers for the company, including names, addresses, birthdays, Social Security numbers, driver's license numbers, and other driving record information, were exposed during the incident.

"The breadth of data that was accessible about these individuals is troubling," commented Paul Lipman, CEO at iSheriff, when asked his opinion on the breach notification letter.

"Lowe's data breach, coming hot on the heels of the news of eBay's stolen customer database, demonstrates the increasingly porous nature of corporate networks. Frankly, it's irresponsible to store sensitive personal data of this nature in an unencrypted format, regardless of where it resides," Lipman added.

"As corporate data becomes increasingly mobile and dispersed, organizations must rapidly turn their attention to protecting against inadvertent acts that could put their business, customers and employees at risk. "

The data was housed in E-DriverFile, an online database provided by SafetyFirst, a driver safety firm headquartered in New Jersey. According to Purvis' letter, the root cause of the incident was an improperly secured backup:

"We recently learned that the vendor unintentionally backed up this data to an unsecured computer server that was accessible from the Internet. You are receiving this notice because we’ve determined that your Social Security number and/or driver’s license number was in E-DriverFile and thus potentially exposed..."

Once the problem was discovered, SafetyFirst blocked access to the unsecured backup server. Internal investigations determined that the personal information housed on the server may have been accessed between July 2013 and April 2014.

While there hasn't been any hard evidence that the improperly stored data was misused, Lowe's is notifying some 35,000 individuals, and offering one year of credit protection services.

"The situation with Lowe's is a very common reason why data leakage occurs. People often post data on Internet-facing servers unaware that the data could be found. Furthermore, data is sometimes posted online for temporary purposes only to be forgotten about and never removed. Unfortunately, accidental or not, these incidents certainly expose customers to a great risk for fraud," commented Mark Stanislav, Security Evangelist at Duo Security.

"This incident serves as an important reminder to organizations that data in the hands of third-party vendors should have strict oversight when possible. The complexity of data sharing among businesses leaves a lot of gaps in security and this situation should keep vendors aware that sensitive customer data should be encrypted at rest and in-transit at all times."

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.