| Minneapolis Star Tribune | - |
Target
Corp. said Wednesday that the huge data breach it suffered late last
year happened after an intruder stole a vendor's credentials and used
them to gain access to the company's computer system.
Target: Cybercrooks used stolen vendor ID to hack into system
- Article by: JENNIFER BJORHUS , Star Tribune
- Updated: January 29, 2014 - 10:41 PM
Retailer said the credentials were used to hack company systems at checkout.
- 1
- comments
-
resize text
- buy reprints
Target
Corp. said Wednesday that the huge data breach it suffered late last
year happened after an intruder stole a vendor’s credentials and used
them to gain access to the company’s computer system.
A Target spokeswoman wouldn’t
identify the vendor or type of credentials because the retailer is in
the midst of forensic and criminal investigations into the malware
attack, where cybercrooks hijacked debit and credit card information
from up to 110 million people.
“We’re conducting an end-to-end review of our systems,” spokeswoman Molly Snyder said in an interview.
In a written statement the company
issued in response to questions, Snyder said Target has eliminated the
malware and closed the access. She said the Minneapolis-based
company has also taken extra precautions such as limiting or updating
access to some platforms while the investigation continues.
The new detail about stolen
credentials sheds a spark of light on a key question that has circled
around the heist: How did the cybercrooks break into Target’s
point-of-sale system to insert malicious software?
Data security blogger Brian Krebs,
who first broke the news of Target’s breach in December, said he
doesn’t know with certainty what vendor or stolen credentials Target is
referring to.
In his blog, KrebsOnSecurity,
Krebs wrote Wednesday that one of the pieces of malware used in the
Target attack appeared to be mimicking a default password from an IT
management software product used by many major retailers. The software
is produced by Houston-based BMC Software, and he suspects Target uses
it.
The default password essentially creates a vulnerable back door built into the software.
“It has a hidden password that not
even the people installing the system know about but apparently the bad
guys know about it,” Krebs said.
BMC spokesman Mark Stouse said he
couldn’t discuss Target’s comments or Krebs’ assertions. “BMC Software
has received no information from Target or the investigators about this
matter,” he said.
When asked if BMC is part of the investigation, Strouse said: “We are definitely collaborating with McAfee.”
McAfee is a leading computer security company based in Santa Clara, Calif.
Stouse said BMC has no indication that its products “were leveraged or compromised in this attack.
“BMC has alerted our customers to
be diligent about potential malware that may be masquerading as a BMC
product,” he said in an e-mail.
The Target breach is one of the
country’s largest recorded data security breaches. It has forced U.S.
banks to issue at least 15 million new credit and debit cards so far to
people who bought merchandise in Target stores during the breach period,
and is fueling efforts to pass federal legislation to better protect
consumer information.
Target’s CFO will appear at a
Senate Judiciary Committee hearing Tuesday on the investigation and
efforts to safeguard consumer information.
Attorney General Eric Holder told
the Senate Judiciary Committee Wednesday that the Justice Department is
committed to finding the hackers behind the cyberheist. His remarks were
the first official confirmation that the Justice Department is part of
the investigation.
“We are committed to working to
find not only the perpetrators of these sorts of data breaches, but also
any individuals and groups who exploit that data via credit card
fraud,” Holder said.
In the Target attack, hackers
somehow inserted memory-scraping malware into the point-of-sale systems
at the checkout in Target’s U.S. stores that scooped up data from an
estimated 40 million credit and debit cards, including about 6.5 million
of Target’s Redcard Visa credit cards and Redcard debit cards.
The company later revealed that
thieves also stole the partial personal information of 70 million
people, including names, mailing addresses, phone numbers or e-mail
addresses.
Jennifer Bjorhus • 612-673-4683
end quote from:
No comments:
Post a Comment