More details regarding the massive hack that hit Target late last year have been uncovered, revealing how attackers gained access to the retailer’s systems. After a recent report said that the hackers used old-school tactics like actually stealing the credentials of a Target employee to gain access to the store, Krebs on Security now says that the credentials actually belonged to a Target maintenance company that dealt with, among other things, air conditioning vents.
While hackers did not actually enter a Target store through the vents like in the movies, they got access to the company’s credentials and used them to attack Target’s internal networks. Apparently the Secret Service has already visited the company in question, which has serviced various Target locations as well as other stores including Trader Joe’s, Whole Foods and BJ’s Wholesale Club locations in Pennsylvania, Maryland, Ohio, Virginia and West Virginia.
Even so, it’s not clear why a maintenance company would also have access to Target’s systems including its point of sale (POS) machines, and officials have not shared more details about the ongoing investigation.
A cybersecurity expert that talked to the publication said that it’s retail stores to have a team that monitors energy consumption and temperatures in stores, making sure that companies save on costs, but also insuring that temperatures would not disrupt regular shopping operations.
“To support this solution, vendors need to be able to remote into the system in order to do maintenance (updates, patches, etc.) or to troubleshoot glitches and connectivity issues with the software,” the cybersecurity expert said. “This feeds into the topic of cost savings, with so many solutions in a given organization. And to save on head count, it is sometimes beneficial to allow a vendor to support versus train or hire extra people.”
Investigators have also revealed that initially, the hackers only hit a few Target stores, studying the efficiency of their malware – between November 15 and November 28 – and then expanded their reach to a “majority of Target’s point-of-sale devices.” From there, they stole over 40 million debit and credit card accounts until December 15. Additionally, they also took personal data belonging to 70 million customers.
Furthermore, the data was then stored on various compromised servers, both in the U.S. and Brazil, from where hackers from Eastern Europe and Russia could safely access it.
A fraud analyst from Gartner Inc. estimates Target to face losses of up to $420 million following the attack, including reimbursement to banks for the costs of reissuing millions of cards, fines from the card brands, Target customer service costs, legal fees and credit monitoring fees for millions of customers affected by the attack.