[BreachExchange] Hundreds of Lowe's customers' personal information compromised

Fri Mar 3 16:29:09 EST 2017

http://www.wsoctv.com/news/local/hundreds-of-lowes-customers-personal-information-compromised/499082899

Personal information connected to hundreds of Lowe's customers has been
compromised.

The breach is connected to a fax machine in Vancouver, Canada. A
spokesperson from the company that owns the machine does not want to be
identified, but said they have received more than 250 pages of customer
order information in recent days.

"It is definitely a privacy breach," an employee of the company based in
Vancouver said.

The orders that were sent to the wrong fax machine contain each customer's
full name, address and phone number.

"We've had a couple of credit card numbers come through," the employee said.

But the company spokesperson said it quickly shredded any financial
information.

None of the documents Channel 9 saw even contain a box for credit card
numbers.

Lowe's insisted Thursday that no financial information was compromised.

The orders ranged in value from $300 to $1,500 and also listed installation
dates, posing a possible security risk to customers.

"(Our) main concern is that people's information is being sent out there,"
the employee said.

The orders appear to be sent by various Lowe's stores spanning at least
eight different states, including South Carolina and North Carolina

Channel 9 spoke with one affected customer, who lives in Greensboro. She
declined an on-camera interview, but she is "furious" and wants answers
from Lowe's.

The documents reviewed by Channel 9 appeared to be destined for a company
called Phantom MFG International. It manufactures specialized screens for
doors and windows.

Whistleblower 9 also reviewed multiple emails that show Lowe's was told
about this problem since at least August of 2016, but the faxes and
personal information kept coming.

The CEO of Lowe's was sent a scathing email Monday with the subject line:

"URGENT!! Confidential Faxes being sent to us, We have contacted your
stores, and customer service to no avail."

"We've asked them to stop numerous times. I've called separate stores,” the
employee said. “So has other staff. We've called employees. We've called
head office and they just don't seem to stop.”

Lowe's corporate communications representative Karen Cobb released the
following statement to Channel 9:

Breaking: Personal information connected to hundreds of Lowe's customers
compromised. Names. Addresses. Phone numbers. pic.twitter.com/UGoqAZG1WQ

— Paul Boyd (@PaulBoydWSOC9) March 2, 2017

"We take the protection of customer information seriously. As soon as we
obtained copies of the faxes (the company) said she received, we began
looking into the situation.

We are trying to determine whether her fax number could have been
mis-associated with any other vendor or party. We are taking steps to stop
any faxes to her number. We have no information that any personal financial
information has been disclosed."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170303/45cf0287/attachment.html>