Target Breach Caused by Failure to Segment Payment and Non-Payment Networks

The infamous Target security breach that exposed the financial and personal information of tens of millions of Americans late last year was the result of the company’s failure to keep its routine operations and maintenance functions on a separate network from critical payment functions, according to information from security researcher Brian Krebs, who first reported the breach in December.

Target last week revealed to The Wall Street Journal that the initial breach of its network was traced to login information stolen from a third party vendor. Mr. Krebs now reports that the vendor in question was Fazio Mechanical Services, a Sharpsburg, PA-based firm that contracted with Target to provide refrigeration and HVAC installation and maintenance. Fazio president Ross Fazio confirmed that the company was visited by the U.S. Secret Service as part of the investigation, but has not yet made any public statements about the reported involvement of login credentials assigned to its employees.

Fazio employees were granted remote access to Target’s network to monitor parameters like energy usage and refrigeration temperatures. But because Target reportedly failed to segment its network, it meant that knowledgable hackers could use those same third party remote credentials to access the retailer’s sensitive point of sale (POS) servers. The still unknown hackers took advantage of this vulnerability to upload malware to the majority of Target’s POS systems, which then captured the payment and personal information of up to 70 million customers who shopped at the store between late November and mid December.

This revelation has cast doubt on the characterization of the event by Target executives as a sophisticated and unanticipated cyber theft. While the uploaded malware was indeed quite complex, and while Fazio employees share some blame for allowing the theft of login credentials, the fact remains that either condition would have been rendered moot if Target had followed security guidelines and segmented its network to keep payment servers isolated from networks that allow relatively broad access.

Jody Brazil, founder and CTO of security firm FireMon, explained to Computerworld, “There’s nothing fancy about [the Target security breach]. Target chose to allow third party access to its network, but failed to properly secure that access.”

If other companies fail to learn from Target’s mistakes, consumers can expect even more breaches to follow. Stephen Boyer, CTO and co-founder of risk management firm BitSight, explained, “In today’s hyper-networked world, companies are working with more and more business partners with functions like payment collection and processing, manufacturing, IT, and human resources. Hackers find the weakest point of entry to gain access to sensitive information, and often that point is within the victim’s ecosystem.”

Target has not yet been found to have violated payment card industry (PCI) security standards as a result of the breach, but some analysts foresee trouble in the company’s future. While highly recommended, PCI standards do not require organizations to segment their networks between payment and non-payment functions, but there remains some question as to whether Target’s third party access utilized two-factor authentication, which is a requirement. Violations of PCI standards can result in large fines, and Gartner analyst Avivah Litan told Mr. Krebs that the company could face penalties of up to $420 million over the breach.

The government has also started to act in response to the breach. The Obama administration this week recommended the adoption of tougher cyber-security laws, bringing both harsher penalties for offenders as well as federal requirements for companies to notify customers in the wake of security breaches and follow certain minimum practices when it comes to cyber data policies.