Investigators are now led to believe that Target's attackers first accessed the network on November 15, 2013, using the stolen credentials, which then allowed them to access and infect other Target systems, such as payment processing and POS systems.
But why did Fazio Mechanical Services have access to Target's network? The retailer likely relies on refrigeration and HVAC systems that are managed remotely by a third party to monitor and adjust environmental controls and refrigeration systems.
Questions will now point to Fazio's security processes and the controls that Target has in place. According to the Payment Card Industry Data Security Standards (PCI-DSS) regulations, the retailer is liable for any of its third-party contractors' security shortcomings. In fact, PCI requires merchants to "incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators and third parties."
As the information regarding the Target breach evolves, the possibility that other major U.S. retailers are also vulnerable increases. It also raises the question: How could an HVAC contractor's password unlock secure systems that are used to process customer payments?
"This is something you'll see a lot more of in the evolving 'Internet of things' world. HVAC's are IP-addressable appliances now, which means they have network access and logins. It wouldn't be unusual for contractors to have an HVAC login," said Dwayne Melancon, CTO of Tripwire, a data security company. "The trouble is that a lot of people implementing 'smart devices' do not recognize the security risks of placing them on a production network where they can access other sensitive data or systems. Attackers will find and exploit the weakest link in an interconnected network every time."
"Like Target, we are a victim of a sophisticated cyber-attack operation," said Ross Fazio, president of Fazio Mechanical Services, in a statement. "We are fully cooperating with the Secret Service and Target to identify the possible cause of the breach."
Original reports stated that Target's attackers stole data between November 27 and December 15, when the retailer discovered the malware infection. However, in a Senate Judiciary Committee hearing, Target CFO John Mulligan said the malware persisted undetected on 25 more checkout systems through December 18, resulting in the compromise of less than 150 additional credit card numbers.
For related content:
Huge Criminal Profits Are Being Made from Retail POS Says FBI
Target's CFO to Testify Before Congress on Data Breach
Target Identifies Suspects, Security Breaches Become Growing Concern
Neiman Marcus Hit With Security Breach and Website Outages
Target Off to a Rough Start in 2014
Target Data Breach Compromises 40M Cards