Target Hacking Sheds Light on Contractor Risks

Should contractors take network security seriously when working with clients? Absolutely. Remember the recent Target data breach late last year? A HVAC contractor’s system was the entry point.

Hacker typing on a laptopHackers broke into Target’s network by stealing the contractor’s login credentials to the computerized heating and cooling software, according to The Wall Street Journal. And the hackers stole the credit and debit card numbers of some 70 million people.

The HVAC contractor identified as the entry point to Target’s network is Fazio Mechanical Services, a Pennsylvania firm. While the firm has offered little comment, President and Owner Ross E. Fazio, released a statement explaining the following:

  • Fazio Mechanical does not perform remote monitoring of, or control of, heating, cooling and refrigeration systems for Target.
  • Fazio’s data connection with Target was exclusively for electronic billing, contract submission and project management, and Target is the only customer for whom the company manages these processes on a remote basis. No other customers have been affected by the breach.
  • Fazio’s IT system and security measures are in full compliance with industry practices.
  • Fazio Mechanical is not the subject of the federal investigation into the breach.

The Target debacle is an important reminder of the risks incurred by corporations and contractors as they both are involved in the operation of large and interconnected sprawling networks.

Weak security at any level can lead to a breach that can costs hundreds of millions of dollars. A HVAC contractor really has nothing to do with a customer’s payment processing system, but using a low-level victim to hack into a corporate network has become a common hacking tactic.

Once hackers have a username and password, they can move through a network until they find what they are looking for – in this case, credit and debit card numbers.

This discovery of the breach highlights the vulnerabilities that other major U.S. retailers face.

Brian Krebs, the security blogger who first broke the story about the Target breach, consulted with a cybersecurity expert at a large retailer to get his opinion on what had happened.

The expert asked not to be named because he did not have permission to speak on the record. He said it’s common for retailers like Target to have teams that monitor energy consumption and temperatures in stores to save on operating costs.

“To support this solution, vendors need to be able to remote into the system in order to do maintenance (updates, patches, etc.) or to troubleshoot glitches and connectivity issues with the software,” the source said. “This feeds into the topic of cost savings, with so many solutions in a given organization. And to save on head count, it is sometimes beneficial to allow a vendor to support versus train or hire extra people.”

Security at contracted companies tends to be poor and often the same password is used for multiple customers, says Billy Rios, director of threat intelligence at Qualys, a cloud security firm, according to an article about the Target breach in The New York Times.

In the last two years, Rios and his Qualys associate Terry McCorkle have found 55,000 HVAC systems connected to the Internet, and most of the systems contained security flaws that would allow hackers to access the companies’ networks.

Security experts recommend that contractors avoid using default passwords, or the same passwords for multiple accounts. The experts also advise companies “to wrap additional digital security defenses around valuable assets, such as a company’s intellectual property, or in Target’s case, the cash register systems that process credit card payments,” according to the article.

Next Steps:

Leave a comment


Name*

Email(will not be published)*

Website

Your comment*

Submit Comment

© Goodway Technologies, 2017. All rights reserved. Just Venting is powered by Backbone Media, Inc.