Report: Target hackers breached account security via Penn. heating contractor

Shopping at Target
A woman pays by credit card while checking out at a Target Store in 2013.
Jeff Chiu/AP, File

A top Target executive told a congressional committee today that the retailer has been relentless in implementing defenses against hackers.

But Target CFO John Mulligan admitted that wasn't good enough to prevent a massive theft of customer information.

As if to underscore that, the security blogger who revealed that hackers stole card numbers and information for millions of Target customers reported that the hackers penetrated Target's computer network by stealing key information from a refrigeration contractor.

After the security breach, Target disclosed that cyber thieves broke into its systems using network credentials stolen from one of its vendors. But the retailer has not identified the vendor.

Citing unidentified sources, Brian Krebs, a former Washington Post reporter who blogs on security issues, reported Monday that the vendor is Fazio Mechanical Services, a Pennsylvania firm that "is refrigeration," according to its website. The company's clients include Target, Supervalu, Walmart and Whole Foods.

Why would Target hand over the keys to its computer system to a refrigeration company?

"They may have needed to gain access to Target systems in order to install monitoring software, for example, that can monitor the temperature of the stores or their usage of electricity or gas," said Jonathan Katz, director of the University of Maryland's Cybersecurity Center. "And if they had that, they may have also been given the ability to have remote access to monitor those types of things."

The credentials provided a route into Target's computer systems, enabling the criminals to plant malware that stole numbers for 40 million payment cards and name, address and other personal information for 70 million customers.

Krebs reported that the U.S. Secret Service has visited Fazio Mechanical Services in connection with its investigation of the Target data breach. The subcontractor did not return a call for comment.

Target spokesman Molly Snyder said the investigation is active and ongoing but she did not have additional information to share.

Earlier Wednesday, Target CFO John Mulligan appeared before the U.S. House Energy and Commerce Committee, which is exploring retailer data breaches and what can be done about them.

Mulligan said a vendor's compromised login ID and password were behind the data theft.

"We have an end-to end forensic review of all of our systems," Mulligan said. "At the completion of our investigation, we're looking forward to getting the facts about what transpired."

The topic of the hearing was: Can Data Breaches Be Prevented?

The answer from retailers, security and government witnesses called before the panel was, "No." But they agreed security can be significantly improved to deal with increasingly sophisticated cybercriminals.

Mulligan said Target has vigorously tried to defend itself from hackers.

"We had a third party global firm assess us against Fortune 100 retailers just last year and we were at or better than the technology deployed at those retailers," he said.

But that wasn't enough.

"The unfortunate reality is we suffered a breach," Mulligan said. "All businesses and their customers are facing an increasingly sophisticated threat from cybercriminals. None of us can go it alone. We need to work together."

Investigators told the committee that Target was not easy prey. Secret Service agent William Noonan said Target and Nieman Marcus use robust security systems.

"But as good as security factors are, these criminal organizations are looking at ways to go around whatever security apparatus has been set up," said Noonan, whose agency is leading the investigation of the data breaches.

Illinois Attorney General Lisa Madigan told the committee that many companies are shockingly lax in securing data and she lamented that the U.S. is behind many countries in adopting technology like smart cards, which are harder to compromise.

"The notion that companies are already doing everything that they can to prevent breaches is false," Madigan said. "Frankly, it is negligent [that] the United States is behind the rest of the world when it comes to the security of our payment network."

There was a consensus among the people testifying that the impending adoption of smart cards will greatly help reduce fraud. But there were also calls for companies to pay better attention to basics like encryption and strong passwords.

Too often, critical systems are protected with a simple password, such as "password." Or a trusted partner proves vulnerable, letting hackers slip through otherwise strong defenses, as occurred at Target.

Your support matters.

You make MPR News possible. Individual donations are behind the clarity in coverage from our reporters across the state, stories that connect us, and conversations that provide perspectives. Help ensure MPR remains a resource that brings Minnesotans together.