The Home Depot Inc. in Canada has suffered a data leak after sending customer information to other Home Depot customers.

The first reports of the data breach appeared on Twitter on Oct. 28 as customers said they received reminder emails by mistake for hundreds of orders that were ready to pick up. The emails included customer names, email addresses, order numbers and the last four digits of customer payment cards.

The details of exactly how many customers had their data exposed or to how many unrelated customers the emails were sent to is unknown. In one case a customer reported receiving more than 660 emails, while another put the figure at 900 or more.

Home Depot Canada confirmed the data breach, describing it as a systems error that affected a “very small number of customers.” How the data breach occurred was not disclosed.

“The data release from some of Home Depot’s customers in Canada is unusual, in that the breach seems to be the result of an internal system error rather than an external attack,” Saryu Nayyar, chief executive officer of unified security and risk analytics company Gurucul Solutions Pvt Ltd A.G., told SiliconANGLE. “Still, releasing home and email addresses and recent order confirmations could be gold for a malicious actor. Personal information like that can be leveraged into a convincing phishing email, which could lead to the affected customers becoming victims.”

Chloé Messdaghi, vice president of cybersecurity intelligence company Point3 Security Inc., noted that attackers would otherwise have to pay big money for real-time data on actual orders.

“After this event, any attacker with that information on orders in process or ready can just call or send a look-alike email and say ‘Sorry about this data breach, let us offer you this $50 gift card – please click here to receive it,'” Messdaghi explained. “And then, a smart attacker would send a follow-up email or a text to each consumer whose data was leaked, saying ‘we’re sorry – please check your email, we’ve just sent you a gift card as a valuable customer. You can also access your gift card by clicking here.” Or they could pretend to call from HD Customer Service to collect the complete credit card information.”

Messdaghi said Home Depot must act quickly to beat attackers to the punch. “They need to let their consumers know what to do next – and to be especially aware that bad actors may be calling, emailing or texting, displaying the last few digits of their card and recent orders, and asking these consumers to click through to links,” she said. “Merely reporting a breach without informing consumers of attacks they might expect and how to avoid them is like diagnosing a treatable illness but withholding possible treatments. It’s potentially cyber malpractice.”

Photo: Rayosnho/Wikimedia Commons