Target subcontractor may have provided access to system

WASHINGTON – Investigations circling Target's massive data breach are pointing to a sophisticated operation that took advantage of vulnerabilities at one of the company's contractors to access the retail giant's customer information.

A Secret Service official on Wednesday called the criminals "highly technical and sophisticated," while the chairman of a House subcommittee investigating the breach pointed to a "process failure" such as an accessible password as the likely security gap they were able to exploit.

"I didn't hear a smoking gun," Rep. Lee Terry, R-Neb., said Wednesday after questioning Target Chief Financial Officer John Mulligan at a hearing. But "it looked like it was a process failure."

Details of how the attackers were able to access payment card and personal information from as many as 110 million Target customers late last year have been slow to emerge.

But as Mulligan appeared for a second day on Capitol Hill, the blogger who first revealed the breach quoted sources saying the attackers gained access to the network credentials of a Pennsylvania provider of refrigeration and ventilation systems.

KrebsOnSecurity reported that attackers first broke into the retailer's network Nov. 15 using network credentials stolen from Fazio Mechanical Services of Sharpsburg, Pa.

"Fazio President Ross Fazio confirmed that the U.S. Secret Service visited his company's offices in connection with the Target investigation," the blog reported.

At Wednesday's hearing, a Secret Service official called the criminals behind the attack well-organized, "highly technical and sophisticated." They were likely foreigners, William Noonan, deputy special agent in charge of criminal investigations of cybercrimes, told the House hearing.

Target acknowledges that hackers gained access to its computers by stealing the credentials of one of its vendors.

"Because this continues to be a very active and ongoing investigation, we don't have additional information to share at this time," spokeswoman Molly Snyder said in an e-mail to the Star Tribune.

Conducting vendor risk assessments is an important but sometimes neglected part of cybersecurity, said Chad Boeckmann, CEO of Secure Digital Solutions of Minneapolis. Lax cyber protections by a small contractor can offer an easy gateway into the computer system of a much larger company.

"Once you have a level of privileged access, it is easier to hack within the system," said Boeckmann, who has helped companies like Medica and institutions like the University of Minnesota develop data protection plans.

The Secret Service's Noonan said the malware inserted into the Target system was different from malware that infected retailer Neiman-Marcus, which also suffered a cyberattack in the second half of 2013.

The Secret Service doesn't know if the same hackers attacked both companies, but the methods of operation appear similar.

"The malware used to infect the computer systems was not off the shelf," Noonan said. There was "molding of the malware to fit a network."

Gaining entry through what may have been a poorly protected vendor allowed the Target hackers to steal data even though Target has spent hundreds of millions of dollars on firewalls, malware detection software and data loss prevention tools.

As he did at a Senate hearing Tuesday, Mulligan told House members Wednesday that Target performs "internal and external validation and benchmarking assessments … and, as recently as September 2013, our systems were certified as compliant with the payment card industry data security standards."

Lisa Madigan, the Illinois attorney general who co-chairs a multistate investigation of the Target and Neiman Marcus breaches, said companies continue to make simple mistakes.

Madigan declined to discuss details of her Target-Neiman Marcus inquiry. However, she said common problems include failure to use strong passwords, failure to encrypt consumer information and failure to apply available "patches" that update computer protections.

Mulligan testified that some of Target's customer information was stolen before it could be encrypted.

He could not explain why Target was able to find and remove malware within three days after the U.S. Justice Department told the company of suspicious credit card activity on Dec. 12, but could not find it through the same credit and debit card security system when the attack occurred.

"We're trying to find out why," Mulligan told the subcommittee, adding that he did not know when Target might have the answer.