Every day,there’s another news headline highlighting a data breach at a large, well-known company. We are so used to hearing of them now that the impact has been lessened. The Target breach was different. For most people, the Target breach news struck close to home. It has been fascinating, following the unraveling of how the event occurred and how Target has responded to the breach. As much as Target would like the data breach news coverage to end, it is not going away.
The latest finding is that the Target breach likely occurred throughFazio Mechanical Services, Inc. (FSM), a refrigeration contractor in Pittsburgh that connected to Target’s systems to do electronic billing, contract submission, and project management. It now appears that they themselves were hacked by a sophisticated attack.
This new piece of information gives rise to many questions that need to be answered. For IT security organizations, here are three critical ones for consideration:
1. Did FSM really need electronic connectivity to Target’s networks?
Every situation is different, and each one needs to be judged on its own merits. However, every company needs to think very carefully before connecting anyone to their internal computer networks. A connection, by its very nature, generates additional risk. Connecting an outside company to the internal network may save money and create efficiencies, but how much can be lost if something goes sour?
Target Corp.’s computer security staff raised concerns about vulnerabilities in the retailer’s payment card system at least two months before hackers stole 40 million credit and debit card numbers from its servers, people familiar with the matter said.
At least one analyst at the Minneapolis-based retailer wanted to do a more thorough security review of its payment system, a request that at least initially was brushed off, the people said. The move followed memos distributed last spring and summer by the federal government and private research firms on the emergence of new types of malicious computer code targeting payment terminals, a former employee said.
Kickstarter, the fund-raising platform used by millions of people to raise capital for creative projects and businesses, said over the weekend that hackers had gained access to some of its customers’ data last week but that the breach had been repaired.
“No credit card data of any kind was accessed by hackers,” Kickstarter’s chief executive, Yancey Strickler, wrote in a blog post on Saturday on the company’s website. “There is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts,” he wrote. The post noted that the company’s website does not store credit card data.
Recent data breaches at Target and Neiman Marcus have raised concerns among lawmakers and the public over who should bear the cost of consumer losses and how to improve security online.
The compromised Kickstarter information included user names, email addresses, mailing addresses, phone numbers and encrypted passwords, according to the company, which was informed of the breach by law enforcement officials last week.
It added that while the passwords were not revealed, people with computer expertise could still decipher encrypted passwords, and recommended that users change their passwords as well as those for other sites or accounts for which the users had the same password.