Target ignored a request for a more thorough review of security on its point-of-sale systems two months before a hacker stole 40 million credit card numbers from the retailer, the Wall Street Journal reports:
At least one analyst at the Minneapolis-based retailer wanted to do a more thorough security review of its payment system, a request that at least initially was brushed off, the people said. The move followed memos distributed last spring and summer by the federal government and private research firms on the emergence of new types of malicious computer code targeting payment terminals, a former employee said.
It is not clear whether Target eventually did the security review before the theft.
The hackers appear to have gained access by successfully “phishing” for data from one of Target’s heating, ventilation and air conditioning vendor companies, according to Brian Krebs, whose reporting has led the way on this story. Phishing is the act of sending a bogus but legit-looking email requesting something like password information from a user. Email malware can be used to send messages to everyone in a company; it only takes one employee to fall for the trick and security can be breached.
Target may have been chosen for the attack because it maintains a website listing a whole bunch of its vendors’ info, according to Krebs — including its HVAC suppliers:
A simple Google search turns up Target’s Supplier Portal, which includes a wealth of information for new and existing vendors and suppliers about how to interact with the company, submit invoices, etc. That page leads to a separate page of information on Target Facilities Management, which includes a slew of instructions on submitting work orders. That page also includes a link to another set of resources: A Supplier Downloads page that, oddly enough, is little more than a long list of resources for HVAC & refrigeration companies.
Target stored so much info on that site that Krebs was able to name a specific Target employee who had created or edited an Excel spreadsheet of HVAC companies used by Target, simply from a Google search.
Having obtained credentials from the HVAC firm, the hackers were able to access Target’s computer server for vendors, Krebs says. The problem with that was Target kept many of its applications running on the same server, named “Ariba.” Once the hacker accessed Ariba using the HVAC credential, they were able to check out anything else Target was running on the server:
“I know that the Ariba system has a back end that Target administrators use to maintain the system and provide vendors with login credentials, [and] I would have to speculate that once a vendor logs into the portal they have active access to the server that runs the application,” the source said. “Most, if not almost all, internal applications at Target used Active Directory (AD) credentials and I’m sure the Ariba system was no exception. I wouldn’t say the vendor had AD credentials but that the internal administrators would use their AD login to access the system from inside. This would mean the sever had access to the rest of the corporate network in some form or another.”
Target may have been unprepared for what happened next, the Journal hints:
… Several members of Target’s cybersecurity team left the company in the months before the hack, according to people familiar with the matter and a search of social media profiles. Many left for more prestigious jobs at other firms, the former employee said.