How an HVAC Company May Have Compromised Target’s Data


Image courtesy of chanpipat/ Freedigitalphotos.netA recent post by KrebsonSecurity reports that the attacks on Target were made possible using stolen credentials from a third-party vendor, specifically an HVAC contractor for the company. While that may seem unlikely to you – how could an HVAC contractor have access to Target’s network? – it’s not surprising that in this day and age, HVAC systems can be remotely accessed and monitored. After all, we live in a digital age. We think nothing of programming our DVRs while away from home, or logging into our home thermostat to program it, so it should be no surprise that large systems have advanced capabilities. The surprising part is that credentials for the HVAC system would also allow access to the rest of Target’s network. The investigation is still underway, so there are a lot of unknowns.  Did Target  require some form of two-factor authentication for access, and if not, why not? Was the HVAC network segmented from the rest of the network? How frequently were passwords changed, if at all? I would assume Target is taking a hard look at some of their security practices, and in the light of this and the recent announcement of the Neiman-Marcus breach, a lot of other companies that process millions of credit cards should also be reviewing their practices.

The Krebs article highlights another security issue, as well. The stolen data was transmitted using “drop” locations; compromised computers that stored the data, and that could be accessed by the hackers. While Target shoulders the brunt of the blame for this situation, it also underscores the importance of security at multiple levels, from home computers to small and medium businesses. An infected computer or server doesn’t just put the users of that system at risk; hackers can use that system for their own nefarious purposes, such as being an intermediate drop for stolen data.

The important thing to learn from this is the importance of protecting a network, regardless of where it is and what it’s doing. Even Fortune 500 companies and security professionals can be vulnerable. Limit access to your network. If 3rd parties need access, limit their access, monitor their use, and disable the access when not needed. Take security seriously, even at home. It’s not just your data that you might be protecting.

Image courtesy of chanpipat/