A senior security leader has said he is not surprised that the recent Home Depot data breach was caused by a misconfigured SaaS application, warning that the issue is rife across enterprises of all sizes.
The data breach saw information belonging to over 10,000 Home Depot employees uploaded to a popular hacking forum by a well-known threat actor named IntelBroker.
Exposed information included employee names, work email addresses, and user IDs. Although this information alone is not highly sensitive, it could be used by threat actors to conduct further social engineering attacks on Home Depot staff, experts have warned.
Home Depot confirmed the attack on 7 April, stating the breach was the result of a third-party software vendor inadvertently exposing a small data sample pertaining to Home Depot staff.
Tim Bach, senior VP of security engineering at AppOmni, said while the rapid identification of the incident as the result of a SaaS misconfiguration was impressive, the fact this was the source of the breach was far from surprising.
“What is most noteworthy is the immediate identification of SaaS misconfiguration as the cause. It is really not noteworthy to see another sensitive data leak from a SaaS application, and unfortunately it is not noteworthy even to see it at this scale, as large enterprises have heavily adopted SaaS throughout their critical infrastructure.”
Bach said it’s important firms correctly identify the root cause of leaks like this one to ensure others learn from these incidents and improve their posture accordingly.
“Inadvertent SaaS misconfigurations that can, potentially, result in such leaks are commonplace, but usually when a leak occurs it is attributed simply to an ‘internal system’, making it unclear whether it was a SaaS system, or in-house system, etc,” he said.
“Such attribution to a SaaS misconfiguration is key as it will help security teams continue to be mindful of the importance of dedicated attention to securing and continuously monitoring their SaaS applications.”
Firms need to buck up their SaaS security practices
The Home Depot breach underscores how SaaS-based attacks are a growing problem, according to Bach. Citing an investigation carried out in 2023 by threat researcher Aaron Costello and security reporter Brian Krebs, he noted that many of these attacks go unnoticed.
“This highlights how commonly attackers exploit SaaS application vulnerabilities. Nearly a year ago based on intelligence from AppOmni Labs researcher Aaron Costello, cyber security journalist Brian Krebs published an article about how many SaaS applications are leaking data.” Bach recalled.
“Unmanaged SaaS applications, poor configuration hygiene, and their associated breaches continue to plague enterprises. If they are associated with large, well-known enterprises they are written about and discussed, but many of these types of breaches likely go undetected.”
Bach said SaaS applications are ingrained into the operating models of virtually every business and underpin vital processes every day. As such, enterprises need to take a number of security precautions to ensure their SaaS deployments aren’t compromised.
“SaaS applications are now the operating system and system of record for business, since they handle sensitive, business-critical data. SaaS is a critical part of cloud infrastructure and applications that businesses need to pay attention to and implement controls around to prevent data breaches. At a basic level, it’s important to get visibility into SaaS risks and preventable data exposures”, he noted.
“Beyond this, enterprises should watch out for SaaS identities, user behaviors, and connected applications that can introduce additional risks.”
