Stealing credit card and personal information from millions of customers might seem like the kind of thing only a criminal mastermind could pull off. New information shows it was the result of one dumb security decision.
We now have a pretty good idea how hackers infiltrated Target’s systems in the massive data breach last month. They went in through one of Target’s vendors, a heating and cooling company out of Sharpsburg, PA.
The HVAC company had access to Target’s systems for billing, contracting and project management purposes. But they were set up on the main network for the retail giant. The failure to separate this third-party from the business-critical functions will go down as a huge mistake.
Failing to see the problem?
For its part, Target is sticking by its story: that this was a highly advanced attack against an otherwise secure system.
That’s not flying with everybody. Brian Krebs, the researcher who was at the forefront of reporting the attack, sees things differently:
It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network. But according to a cybersecurity expert at a large retailer who asked not to be named because he did not have permission to speak on the record, it is common for large retail operations to have a team that routinely monitors energy consumption and temperatures in stores to save on costs (particularly at night) and to alert store managers if temperatures in the stores fluctuate outside of an acceptable range that could prevent customers from shopping at the store.
The most advanced part of this attack, according to Krebs, was likely the malware it used.
In other words, access to the systems would appear to be the easiest part.
Protecting yourself from breaches
One of the hardest pills to swallow from these revelations is that most companies allow at least some access to their systems by third-party vendors. And with the Internet of Things, more and more devices will be connecting to systems.
Make sure those connections are secure. Run business-critical systems on a separate network. This is a good reminder that even if you protect your own company, attackers can piggyback on companies you let inside.