A recent Lowe’s data breach is another reminder that attackers do not always need to break through sophisticated defenses to expose sensitive information. Sometimes, they only need valid login credentials.
According to a data breach notice submitted to the Maine attorney general, Lowe’s Companies Inc. reported that unauthorized access involved employee Workday accounts, with the breach occurring Sept. 2, 2024, and discovered Sept. 9, 2024. The incident affected 944 people and involved personally identifiable information, including names, addresses, dates of birth, email addresses, phone numbers and bank account numbers.
The incident appears limited in scale compared with some of the largest breaches of 2024, but the lesson is significant: When attackers gain access to employee accounts that contain sensitive data, even temporary access can create real privacy, compliance and reputational risk.
What Happened
Based on the breach notice, an unauthorized third party obtained a limited number of Lowe’s employees’ Workday login credentials and temporarily accessed those accounts. The data exposed was not just basic contact information. It included sensitive employee information stored inside the affected Workday accounts, including bank account numbers.
That matters because HR, payroll and workforce management systems often contain some of the most sensitive data inside an organization. Employee records may include personally identifiable information, payroll details, tax information, home addresses, dependent information and other confidential data.
For attackers, those systems can be valuable targets. For organizations, they can become high-risk exposure points if identity controls, access policies and data-layer protections are not working together.
The Credential Compromise Problem
The public notice does not explain exactly how the credentials were obtained. That is an important distinction. Without forensic detail, it is not possible to say whether the credentials were stolen through phishing, infostealer malware, password reuse, a compromised device, third-party access or another method.
However, the broader threat pattern is clear.
Workday says its native login for enterprise products stores passwords as secure hashes rather than storing the passwords themselves, and the platform supports SAML single sign-on and OpenID Connect integrations. That makes it unlikely, in a properly designed authentication environment, that passwords would simply be sitting in clear text inside the application.
So how do attackers get valid credentials?
Increasingly, they get them from outside the application itself. Credentials can be stolen through phishing, malware, compromised endpoints, reused passwords, unmanaged personal devices or infostealer logs sold in criminal marketplaces.
That was one of the major lessons from the 2024 Snowflake-related incidents. Mandiant reported that a threat actor tracked as UNC5537 targeted Snowflake customer instances using stolen customer credentials, with many of those credentials obtained through infostealer malware. Mandiant also reported that many impacted accounts did not have multifactor authentication enabled, meaning a valid username and password could be enough to gain access.
The Lowe’s incident is different, and the same root cause should not be assumed. But the comparison is useful because it shows why organizations must plan for a world where credentials can and will be compromised.
Why MFA Matters
The first lesson is straightforward: Multifactor authentication should be enforced wherever sensitive data can be accessed.
Usernames and passwords are no longer enough. They can be stolen, reused, guessed, phished or harvested from infected devices. Multifactor authentication adds an additional layer that can stop many credential-based attacks, even when a password has been compromised.
For HR, payroll, finance and data warehouse systems, MFA should not be optional. It should be standard.
Organizations also should avoid password reuse across systems. A password manager can help employees create and manage unique, complex passwords for each application. Security teams should also monitor for exposed credentials, rotate passwords when necessary and disable stale accounts.
Endpoint protection is also critical. Infostealer malware can quietly harvest credentials, browser sessions and authentication tokens from compromised devices. Malware scanning, managed devices, strong browser controls and user training all help reduce that risk.
But identity security alone is not enough.
The Bigger Question: What Happens After Login?
Credential security helps prevent unauthorized access. But organizations also need to ask what happens if an attacker gets in anyway.
If a compromised account can see raw sensitive data, the organization may still face a breach. If the data is protected at the field level, masked by policy or available only under strict need-to-know rules, the impact can be reduced.
This is where many organizations still have a gap.
They invest heavily in identity and access management, perimeter security and application controls. Those investments are important. But if sensitive data is readable once an account is accessed, attackers may still get what they came for.
How OnData Can Help
OnData helps organizations reduce the impact of credential compromise by protecting sensitive data itself.
Rather than relying only on application access or network defenses, OnData applies data-layer protection through discovery, classification, encryption, masking, access control and audit logging. This helps organizations create a true need-to-know data environment, where users only see sensitive information when they are authorized and have a legitimate business reason to access it.
For organizations managing employee, payroll, HR, customer or financial data across databases, data warehouses, files and downstream systems, OnData can help address several key pain points:
- Sensitive data spread across multiple systems and repositories.
- Broad access to confidential fields that many users do not need.
- Limited visibility into where regulated data lives.
- Difficulty enforcing consistent access policies across environments.
- Risk that compromised credentials expose readable data.
- Incomplete audit trails showing who accessed sensitive data and when.
- Sensitive information copied from source systems into reports, files or analytics platforms.
With OnData, organizations can automatically identify and classify sensitive data, enforce need-to-know access rules, mask or encrypt fields for unauthorized users and maintain granular audit logs of sensitive data access.
That means a compromised account does not automatically have to become a full data exposure event.
Protecting Data Even When Accounts Are Compromised
The Lowe’s incident highlights a common reality: Attackers often go after credentials because credentials work.
That is why organizations need layered protection.
MFA, password hygiene and endpoint security help protect accounts. But data-layer security helps protect the information those accounts can reach.
OnData complements identity and access management by helping ensure that sensitive data remains protected even when a user session, application account or internal workflow is misused. Authorized users can continue doing their jobs, while unauthorized users see encrypted, masked or restricted data.
For regulated data, that distinction matters.
It can reduce breach impact, support compliance, strengthen governance and give organizations more confidence that sensitive information is not broadly exposed across the enterprise.
What Organizations Should Learn
The Lowe’s breach reinforces several important lessons:
First, enforce multifactor authentication across systems that contain sensitive information.
Second, assume credentials can be compromised and plan accordingly.
Third, monitor endpoints and unmanaged devices for malware and credential theft risks.
Fourth, avoid password reuse and rotate exposed credentials quickly.
Finally, protect the data itself, not just the accounts and systems around it.
Organizations cannot prevent every credential from being stolen. But they can reduce what stolen credentials can access.
That is the value of a need-to-know data strategy. And that is where OnData can help.
