Current and former employees at Lowe's are receiving warning letters in the mail In a letter to both current and former employees, Scott Purvis, Vice President of Human Resources at Lowe’s, says that personal information might have been compromised after a third-party vendor exposed it to the public.According to the letter, the personal information of current and former drivers for the company, including names, addresses, birthdays, Social Security numbers, driver’s license numbers, and other driving record information, were exposed during the incident.“The breadth of data that was accessible about these individuals is troubling,” commented Paul Lipman, CEO at iSheriff, when asked his opinion on the breach notification letter.“Lowe’s data breach, coming hot on the heels of the news of eBay’s stolen customer database, demonstrates the increasingly porous nature of corporate networks. Frankly, it’s irresponsible to store sensitive personal data of this nature in an unencrypted format, regardless of where it resides,” Lipman added. “As corporate data becomes increasingly mobile and dispersed, organizations must rapidly turn their attention to protecting against inadvertent acts that could put their business, customers and employees at risk. “The data was housed in E-DriverFile, an online database provided by SafetyFirst, a driver safety firm headquartered in New Jersey. According to Purvis’ letter, the root cause of the incident was an improperly secured backup: “We recently learned that the vendor unintentionally backed up this data to an unsecured computer server that was accessible from the Internet. You are receiving this notice because we’ve determined that your Social Security number and/or driver’s license number was in E-DriverFile and thus potentially exposed…”Once the problem was discovered, SafetyFirst blocked access to the unsecured backup server. Internal investigations determined that the personal information housed on the server may have been accessed between July 2013 and April 2014.While there hasn’t been any hard evidence that the improperly stored data was misused, Lowe’s is notifying some 35,000 individuals, and offering one year of credit protection services.“The situation with Lowe’s is a very common reason why data leakage occurs. People often post data on Internet-facing servers unaware that the data could be found. Furthermore, data is sometimes posted online for temporary purposes only to be forgotten about and never removed. Unfortunately, accidental or not, these incidents certainly expose customers to a great risk for fraud,” commented Mark Stanislav, Security Evangelist at Duo Security.“This incident serves as an important reminder to organizations that data in the hands of third-party vendors should have strict oversight when possible. The complexity of data sharing among businesses leaves a lot of gaps in security and this situation should keep vendors aware that sensitive customer data should be encrypted at rest and in-transit at all times.” Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe