In a big company, when it’s suspected that someone is misusing company data to steal money from other employees, the first call is supposed to be to human resources. But what if the fraud is being perpetrated by a couple of HR staffers? That’s what happened at Home Depot.

The two Home Depot HR people, Paulette Shorter and Lakisha Grimes, were sentenced to two years and one day in federal prison, according to a U.S. Justice Department statement.

“The defendants stole the very personal information they were entrusted to protect,” said U.S. Attorney John Horn. “They applied for fraudulent credit cards with personal identifying information taken from The Home Depot’s human resources database.”

According to the feds, the HR staffers used Home Depot personnel files to extract names, social security numbers and birthdates to apply online for Capital One payment cards. They used the names and data not only of Home Depot employees, but of job applicants, too.

The pair submitted 32 payment card applications to Capital One. The government didn’t release how many were approved, beyond saying that “two of the approved credit cards were mailed to Shorter’s and Grimes’s residences.”

This raises key questions. First, why did the fraudsters here always use one financial institution? Did they want to make it easy for investigators to find common threads so they could be tracked and arrested?

But for PFs, the incident raises issuance authentication issues. Given that these two didn’t go beyond one financial institution, is it likely that they made sure to vary their IP addresses? What about e-mail verification? Or the same addresses?

The federal statement makes it clear that they used the identical street address for at least two—and presumably many more—applications. Granted, the same address on multiple applications is not—on its own—proof of fraud. Multiple tenants can live in the same building and family members can have different last names. But it’s a good reason for the applications to be reviewed at a few supervisory levels.