Target hackers used IDs from refrigeration contractor, report says
The hackers who made off with the personal and financial data of millions of Target shoppers last fall gained access to the company’s network using credentials stolen from a Pennsylvania-based refrigeration company, according to a report Wednesday by cyber-security journalist Brian Krebs.
Krebs, the first to report news of the Target data breach in December, wrote that Target’s network was breached Nov. 15. Once inside, the thieves installed malicious software that collected payment card data during transactions. Target has previously said the customer data was stolen between Nov. 27 and Dec. 15.
Target said last month that stolen vendor credentials were used to gain access to its network.
Krebs’ report appears in a post on his website, KrebsOnSecurity.com. The revelation should bring authorities closer to catching the data thieves, a security expert said.
“It’s a critical piece of information,” said Avivah Litan, a fraud analyst with information security research firm Gartner. “If (the authorities) know how (the thieves) got in, they have a record of where that login request came from. They should be able to trace it back.”
The refrigeration company named in Krebs’ post, Fazio Mechanical Services, lists two Target jobs on its company website under “Fazio Mechanical’s Projects” — one in Hilliard, Ohio, and the other in Columbia, Md. Both projects are described as “renovation and new refrigeration systems.” The company is based in the Pittsburgh suburb of Sharpsburg.
Fazio President Ross Fazio reportedly told Krebs that the “U.S. Secret Service visited his company’s offices in connection with the Target investigation.”
A law enforcement official confirmed Wednesday that a possible connection between Fazio’s access to Target’s network and the data breach is being investigated.
Target spokeswoman Molly Snyder said in an email: “Because this continues to be a very active and ongoing investigation, we don’t have additional information to share at this time.”
The Secret Service acknowledged that it is investigating the Target breach, but declined to provide more specific information.
A message left with Fazio was not returned Wednesday.
Minneapolis-based Target announced the data breach Dec. 19, a day after it was reported by Krebs, saying the purchasing information from up to 40 million customers was stolen between Nov. 27 and Dec. 15. In testimony before a Senate committee Tuesday, Target CFO John Mulligan said some data continued to be compromised from that breach until Dec. 18.
Last month, Target acknowledged that additional information from up to 70 million customers was stolen in a separate breach.
A security expert said this exploit has two distinct phases: First, gaining access to the refrigeration company. Second, using that access as a springboard into Target’s own network and financial data.
“Essentially, the hackers found a ‘backdoor’ into the payments system via the less secure climate-control system,” said Phillip Parker, chief executive of CardPaymentOptions.com.
The first step, “someone getting (Fazio’s) login, is not very difficult to do,” said Neal O’Farrell, executive director of the Identity Theft Council. “Could be an insider, some malware, a keylogger, a lucky guess, a network sniffer.”
Litan, the Gartner fraud analyst, says the malware scenario seems like the most plausible to her. The thieves may have installed malicious software onto one of Fazio’s computers, which they would have used to steal login credentials for Target’s network.
At that point, O’Farrell said, Target’s own network security should have stopped the intrusion dead by giving Fazio only limited network authority with no access beyond its sphere of influence.
“For some crazy reason that access was not limited, was not cordoned off from anything else the company didn’t need access to,” he said. “If that’s true, it’s one of the dumbest security decisions I’ve seen in a long time.
“It’s not hard to exploit lazy, sloppy security,” O’Farrell said.
In his Senate testimony Tuesday, Mulligan said Target is investing $100 million to beef up purchasing security at its stores, including adopting the so-called chip-and-PIN technology commonly used in Europe and seen as more secure than the ubiquitous magnetic strip cards now in use.
Banks and credit card companies, meanwhile, have been replacing the cards and accounts of customers who made Target purchases during the breach period.
The Fazio situation points to the difficulty in keeping straight which entity has access to what resources on such a large web of interconnected networks, said Alex Moss, chief technology officer at information security consulting firm Conventus.
“Access is not governed as well as it should be” in such situations, Moss said.
The Fazio situation has the potential to create legal liability for Target, said Brian Kelly, information security officer at Quinnipiac University in Connecticut.
“Ultimately it means Target may be held liable for noncompliance with Payment Card Industry security standards,” Kelly said.
Under such stringent security guidelines, a company like Target must “verify that any accounts used by vendors to access, support and maintain system components are disabled, and enabled only when needed by the vendor,” he noted. “The question will be why would (this) vendor have remote access to the payment-card portion of Target’s network.”
The Pioneer Press is a media partner with Forum News Service.