A top security leader said he is not surprised that the recent Home Depot data breach was caused by a misconfigured SaaS application, and warned that the problem is widespread in companies of all sizes.
The data breach caused a well-known threat actor called IntelBroker to upload information belonging to more than 10,000 Home Depot employees to a popular hacking forum.
The exposed information included employee names, work email addresses, and user IDs. Although this information alone is not very sensitive, threat actors could use it to carry out more social engineering attacks against Home Depot staff, experts warned.
Home Depot confirmed the attack on April 7, stating that the breach was the result of a third-party software vendor inadvertently exposing a small sample of data belonging to Home Depot staff.
Tim Bach, senior vice president of security engineering at AppOmni, said that while the quick identification of the incident as a result of a SaaS misconfiguration was impressive, the fact that this was the source of the breach was far from surprising.
“Most notable is the immediate identification of a SaaS misconfiguration as the cause. It's really not noteworthy to see another leak of sensitive data from a SaaS application, and unfortunately, it's not noteworthy to even see it on this scale, as large enterprises have largely adopted SaaS across their critical infrastructure.”
Bach said it is important for companies to correctly identify the root cause of breaches like this to ensure that others learn from these incidents and improve their posture accordingly.
“Inadvertent SaaS misconfigurations that can potentially result in such leaks are common, but typically when a leak occurs it is simply attributed to an 'internal system', leaving it unclear whether it was a SaaS system or an internal system, etc ,” he said.
“This attribution to SaaS misconfiguration is key as it will help security teams remain aware of the importance of dedicating attention to continually protecting and monitoring their SaaS applications.”
Companies must strengthen their SaaS security practices
The Home Depot breach underscores how SaaS-based attacks are a growing problem, according to Bach. Citing research conducted in 2023 by threat researcher Aaron Costello and security reporter Brian Krebs, he noted that many of these attacks go undetected.
“This highlights how frequently attackers exploit vulnerabilities in SaaS applications. Almost a year ago, based on intelligence from AppOmni Labs researcher Aaron Costello, cybersecurity journalist Brian Krebs published an article about how many SaaS applications are leaking data. Bach recalled.
“Unmanaged SaaS applications, poor configuration hygiene, and associated breaches continue to plague businesses. “If they are associated with large, well-known companies, they are written about and discussed, but many of these types of violations are likely to go unnoticed.”
Bach said SaaS applications are ingrained in the operating models of virtually all companies and underpin vital processes every day. As such, businesses must take a number of security precautions to ensure that their SaaS implementations are not compromised.
“SaaS applications are now the operating system and system of record for enterprises, handling sensitive and business-critical data. SaaS is a critical part of cloud infrastructure and applications that businesses must pay attention to and implement controls to prevent data breaches. At a basic level, it is important to gain visibility into SaaS risks and avoidable data exposures,” he noted.
“Beyond this, companies should be vigilant about SaaS identities, user behaviors, and connected applications that may introduce additional risks.”