The chairman of the House subcommittee investigating theft said he suspects “a process failure.” A blog report identified a vendor.
John Mulligan, executive vice president and chief financial officer of Target Corp., testified Tuesday before the Senate Judiciary Committee’s hearing on data breaches and combating cybercrime.
WASHINGTON – Investigations circling Target’s massive data breach are pointing to a sophisticated operation that took advantage of vulnerabilities at one of the company’s contractors to access the retail giant’s customer information.
A Secret Service official on Wednesday called the criminals “highly technical and sophisticated,” while the chairman of a House subcommittee investigating the breach pointed to a “process failure” such as an accessible password as the likely security gap they were able to exploit.
“I didn’t hear a smoking gun,” Rep. Lee Terry, R-Neb., said Wednesday after questioning Target Chief Financial Officer John Mulligan at a hearing. But “it looked like it was a process failure.”
Details of how the attackers were able to access payment card and personal information from as many as 110 million Target customers late last year have been slow to emerge.
But as Mulligan appeared for a second day on Capitol Hill, the blogger who first revealed the breach quoted sources saying the attackers gained access to the network credentials of a Pennsylvania provider of refrigeration and ventilation systems.
KrebsOnSecurity reported that attackers first broke into the retailer’s network Nov. 15 using network credentials stolen from Fazio Mechanical Services of Sharpsburg, Pa.
“Fazio President Ross Fazio confirmed that the U.S. Secret Service visited his company’s offices in connection with the Target investigation,” the blog reported.
Target declined to comment on whether Fazio was involved.
At Wednesday’s hearing, a Secret Service official called the criminals behind the attack well-organized, “highly technical and sophisticated.” They were likely foreigners, William Noonan, deputy special agent in charge of criminal investigations of cybercrimes, told the House hearing.
Target acknowledges that hackers gained access to its computers by stealing the credentials of one of its vendors.
“Because this continues to be a very active and ongoing investigation, we don’t have additional information to share at this time,” spokeswoman Molly Snyder said in an e-mail to the Star Tribune.
Conducting vendor risk assessments is an important but sometimes neglected part of cybersecurity, said Chad Boeckmann, CEO of Secure Digital Solutions of Minneapolis. Lax cyber protections by a small contractor can offer an easy gateway into the computer system of a much larger company.
“Once you have a level of privileged access, it is easier to hack within the system,” said Boeckmann, who has helped companies like Medica and institutions like the University of Minnesota develop data protection plans.
Supply-chain attacks are not new for government agencies and certain kinds of businesses, but they are relatively new for retailers, said Tom Patterson of CSC cybersecurity consulting in Falls Church, Va. One reason is “the easy availability of some of this advanced malware that can be bought for a few thousand dollars on the darkweb,” Patterson said.
The Secret Service’s Noonan said the malware inserted into the Target system was different from malware that infected retailer Neiman-Marcus, which also suffered a cyberattack in the second half of 2013.
The Secret Service doesn’t know if the same hackers attacked both companies, but the methods of operation appear similar.
“The malware used to infect the computer systems was not off the shelf,” Noonan said. There was “molding of the malware to fit a network.”
Gaining entry through what may have been a poorly protected vendor allowed the Target hackers to steal data even though Target has spent hundreds of millions of dollars on firewalls, malware detection software and data loss prevention tools.