Lowe’s Data Breach Analysis

What Happened

Per the data breach report submitted to the Office of the Maine Attorney General, on September 2, 2024, Lowe’s discovered that an unauthorized third-party obtained a limited number of employees’ Workday login information (username and password) and gained temporary access to those employees’ Workday accounts. As a result, certain Personally Identifiable Information (PII), including name, address, date of birth, email address, phone number, and bank account number, held in those Workday accounts were compromised. This incident has impacted a total of 944 people.

Analysis

Without knowing the details, I wonder how the the unauthorized third-party can get login credentials for hundreds of employees. Typically passwords are stored in the form of a hash and never stored as clear text. Workday’s online article has detailed its security mechanisms and indicated that “…native login for Workday Enterprise Products only stores the password in the form of a secure hash as opposed to the password itself”. Workday does support Single Sign-On (SSO) integration using SAML and OpenID Connect. Could it be possible that Lowe’s has configured SSO integration with another Identity and Access Management (IAM) system? Even that is the case, it is very unlikely for an IAM system to ever store passwords as clear text.

How can a hacker or an unauthorized third-party steal passwords from hundreds of people? This question leads to a similar data breach incident occurred at Snowflake in April 2024, but with 165 enterprise accounts breached and hundreds of millions of people impacted (The Ticketmaster account alone could potentially impact 560 million customers). Despite such a widespread breach, Snowflake maintains that the incidents resulted from compromised user credentials rather than any vulnerabilities or flaws within Snowflake’s product itself. Then the question is, how did the hackers obtain login credentials for 165 Snowflake customers? Per the investigation report by the Google-owned cybersecurity firm Mandiant that was retained to analyze this incident, the Snowflake customers’ login credentials were stolen via infostealer malware. While I still have some doubts about that claim, it is possible that the Workday login credentials of the impacted Lowe’s employees were stolen by some kind of infostealer malware as well. When multi-factor authentication (MFA) is not enforced, hackers with the stolen login credentials can directly access the critical systems.

What We Learned

  1. Beyond traditional login credentials (username and password), always enforce Multi-Factor Authentication (MFA) to significantly enhance account security. Most enterprise SaaS platforms offer SSO integration with tenant specific IAM, and MFA if native authentication is used. Take advantage of MFA for added security.
  2. Do not re-use passwords for multiple systems or applications. A password manager can assist you to use unique password of sufficient complexity for each system and application, and change the passwords over time.
  3. Use malware scanner and virus protection software to protect your systems from infostealer malware.