Could Target have averted the credit card data breach that afffected over 70 million customers? Possibly, if new reports are to be believed. Two months prior to the Target hack that affected around 70 million credit and debit card holders, a computer analyst of the retail giant had warned the company about possible weaknesses of its payment system that can be exploited by cyber criminals.
The warning from Target computer security insider came following a series of reports received by the company from research firms and government advisories warning of possible new threats to payment terminals. The warning was initially ignored by Target, according to sources of The Wall Street Journal.
Did Target snub a warning?
A review of the payment system was also suggested while updates were being conducted before the kickoff of the holiday shopping rush. It is not clear whether this review was ultimately carried out prior to the attack that happened from Nov. 27 through Dec. 15. During the attack, the cyber thieves exploited the weakness of the system when the credit card payment terminals seek authorization from the provider and when card data are decrypted.
"It is everyone's worst-case scenario. As an intelligence analyst, there is only so much you can do," the former Target employee told WSJ.
Several employees of Target who handle its cyber security concerns left the company a few months before the attack, said the sources familiar to the matter.
The ongoing investigation of authorities pointed to the Fazio Mechanical as the gateway of the hack. The company is a Pennsylvania-based heating, ventilation, and airconditioning services company tapped by Target to monitor the efficiency and energy consumption of its HVAC systems. The hackers used the security credentials of the third-party provider to get into the computer systems of Target.
Owner and president of Fazio Mechanical Ross Fazio released a statement to clarify certain media reports that have surfaced.
"Like Target, we are a victim of a sophisticated cyber attack operation. We are fully cooperating with the Secret Service and Target to identify the possible cause of the breach and to help create proactive remedies to enhance the security of client/vendor connections make them less vulnerable to future breaches," Fazio said in a statement [PDF].
Fazio clarified that his company does not monitor Target's HVAC systems and that the data connection with the retailer was just for purposes of project management, submission of contracts, and billing. He also said that Fazio Mechanical implements security measures that are in compliance with industry standards.
Target made itself an easy target
While Fazio claims to be a victim of a sophisticated attack, new reports that have surfaced claim that his company has the free version of Malwarebytes Anti-Malware that is not designed or licensed for business use and that this protection was not sophisticated enough to protect it from a malware attack.
"Multiple sources close to the investigation now tell this reporter that those credentials were stolen in an email malware attack at Fazio that began at least two months before thieves started stealing card data from thousands of Target cash registers. Two of those sources said the malware in question was Citadel - a password-stealing bot program that is a derivative of the ZeuS banking trojan - but that information could not be confirmed," KrebsonSecurity reported.
The email phishing attack on Fazio Mechanical might not be the only big piece in the puzzle but another theory suggests that Target was an open target for the cyber criminals as it has made available documents, that can be a treasure trove of information, in unsecure websites such as its Supplier Portal.
Target has not issued a comment nor a denial that it ignored the warnings and recommendations of its cyber security analysts. However, the company informed the body of Congress investigating the matter that its payment systems passed an audit conducted in September. As of reporting, thare are at least 53 lawsuits filed against Target in connection with the security breach.