Target breach happened because of a basic network segmentation error

Target breach happened because of a basic network segmentation error

Hackers gained access to Target POS systems using login credentials belonging to an HVAC company

The massive data breach at Target last month may have resulted partly from the retailer's failure to properly segregate systems handling sensitive payment card data from the rest of its network.

Security blogger Brian Krebs, who was the first to report on the Target breach, yesterday reported that hackers broke into the retailer's network using login credentials stolen from a heating, ventilation and air conditioning company that does work for Target at a number of locations.

According to Krebs, sources close to the investigation said the attackers first gained access to Target's network on Nov. 15, 2013 with a username and password stolen from Fazio Mechanical Services, a Sharpsburg, Pa.-based company that specializes in providing refrigeration and HVAC systems for companies like Target.

Fazio apparently had access rights to Target's network for carrying out tasks like remotely monitoring energy consumption and temperatures at various stores.

The attackers leveraged the access provided by the Fazio credentials to move about undetected on Target's network and upload malware programs on the company's Point of Sale (POS) systems.

The hackers first tested the data-stealing malware on a small number of cash registers and then, after determining that the software worked, uploaded it to a majority of Target's POS systems. Between Nov. 27 and Dec. 15, 2013, the attackers used the malware to steal data on about 40 million debit and credit cards. U.S., Brazil and Russia.

Krebs quoted Fazio's president, Ross Fazio, as confirming that the U.S. Secret Service had visited his company in connection with the Target breach. The company offered no other details on its alleged role in the breach.

Fazio did not immediately respond to a Computerworld request for comment. On Wednesday afternoon, the company's site appeared to be offline, though it was not immediately clear whether that had anything to do with Krebs' report.

Ever since Target first disclosed the data breach in December, the company has portrayed itself as the victim of an especially sophisticated cyber heist. Indeed, in testimony before Congress this week, Target executives defended the company's security practices and maintained that the breach was hard to avoid because of its sophisticated nature.

But Krebs suggests that the cause was much more mundane and wholly preventable, said Jody Brazil, founder and CTO at security vendor FireMon. "There's nothing fancy about the breach," Brazil said.

"Target chose to allow a third party access to its network," but failed to properly secure that access, Brazil said.

Even if Target had a valid reason for giving Fazio access, the retailer should have segmented its network to ensure that Fazio and other third parties had no access to its payment systems.

Several mature processes and practices currently exist for securing third-party access to enterprise networks, Brazil said. Even the Payment Card Industry Data Security Standard, which companies like Target are required to follow, specifies network segmentation as a way to protect sensitive cardholder data.

It was Target's responsibility to ensure that those practices were followed, Brazil said. But the fact that attackers were apparently able to leverage their third-party access to reach Target's payment systems suggests those practices were improperly implemented -- at best, he said.

The only really sophisticated component of the attack appears to have been the malware used to intercept and steal payment card data from Target's POS systems. But the attackers would have been unable to install the malware if Target had employed proper network segmentation practices in the first place, Brazil said.

Stephen Boyer, CTO and co-founder of BitSight, a company that specializes in third-party risk management, said the breach highlights the threat posed to companies by network-connected outsiders.

"In today's hyper-networked world, companies are working with more and more business partners with functions like payment collection and processing, manufacturing, IT, and human resources," Boyer said. "Hackers find the weakest point of entry to gain access to sensitive information, and often that point is within the victim's ecosystem."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

See more by Jaikumar Vijayan on

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags retailsharpindustry verticalsTargetCybercrime and Hacking



The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments