Target Data Breach Started through Stolen HVAC Contractor Login

Target Data Breach Started through Stolen HVAC Contractor LoginAccording to a recent post by Brian Krebs on his Krebs on Security blog, the infamous Target data breach started with hackers stealing the a network log in from a HVAC contractor working for Target Corporation. Mr. Krebs – a former reporter for The Washington Post wrote, “Sources close to the investigation said the attackers first broke into the retailer’s network on Nov. 15, 2013 using network credentials stolen from Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of refrigeration and HVAC systems.”

This revelation speaks directly to the challenge many organizations face with regard to allowing third-parties like contractors access to internal systems. One of the most talked about features in modern Identity and Access Management systems is the concept of Identity Federation or more specifically, “role-based” identity federation where a contractor is provided limited access to the necessary applications required to perform their work.

In the case of the Target breach still more needs to be understood. As Mr. Krebs states, “It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network. But according to a cybersecurity expert at a large retailer who asked not to be named because he did not have permission to speak on the record, it is common for large retail operations to have a team that routinely monitors energy consumption and temperatures in stores to save on costs (particularly at night) and to alert store managers if temperatures in the stores fluctuate outside of an acceptable range that could prevent customers from shopping at the store.”

For those of you responsible for cyber security in your organization watching this Target spectacle unfold from a parallel perch, we cannot emphasis the importance of Identity Management enough. As we state in our Free 2014 Solutions Identity and Access Management Buyers Guide, “The best practice for the enterprise is to implement an Identity and Access Management (IAM) solution. And given the regulatory, security and public relations implications, an IAM solution may be the single most important best practice you will implement – ever.”

Doug Atkinson
Follow Doug