For the millions of victims of Target’s (TGT) data and credit-card hack, some answers are emerging about how the crime was committted, but it might not prove reassuring.
A Pennsylvania-based heating and air conditioning company appears to have been the victim of the "phishing" attack, which allowed the criminals to access Target’s systems, reports security expert Brian Krebs, who was the first to alert consumers in December about the hack that has affected as many as 110 million customers.
The breach at Target appears to have started with a malware-infected email sent to employees at Fazio Mechanical, an HVAC firm based in Sharpsburg, Pa., Krebs writes on his blog. (He had disclosed last week that that Fazio appeared to be the link to the breach.) After the phishing attack, credentials were then apparently stolen from Fazio, as early as two months before the criminals zeroed in on Target’s systems, he notes.
Target didn’t immediately return requests for comment.
In a statement, Fazio said its data connection to Target was “exclusively for electronic billing, contract submission and project management, and Target is the only customer for whom we manage these processes on a remote basis. No other customers have been affected by the breach.” It added that Fazio isn’t the subject of the federal investigation into the breach, although it declined to comment on the probe.
The disclosure isn’t likely to reassure shoppers, given that the hack originated from a third-party vendor without the kind of deep pockets that can finance state-of-the art security systems. Hackers are becoming increasingly sophisticated and looking for cracks that will allow them entry into treasure troves of digital data.
“Many companies are good at taking care of themselves, but don’t understand how to get third-parties appropriately secure as well,” noted John Pironti, risk advisor with ISACA, an IT and information security association, and president of IP Architects.
The email phishing program that attacked Fazio, and led to the Target hack, was a password-stealing bot program, Krebs wrote. It’s unlikely that the hackers specifically targeted the HVAC firm, but instead probably sent out an email blast, and then picked their victims from a list of infected targets, he explained.For Target, the hack has been disruptive and costly. The retailer warned last month that expenses related to the hack — such as providing credit-monitoring protection for customers — may impact its financial results, although it wasn’t able to provide an estimate. Sales at its stores fell in the fourth quarter, as some customers expressed dismay and concern about the breach.
By one estimate, Target’s hack-related costs may top $1 billion, the Pioneer Press reported last month, citing a report from Jefferies analyst Daniel Binder. The report noted that between 10 percent to 15 percent of the stolen cards were fraudulently used.
Of course, Target isn’t the only one to suffer losses. Banks have spent more than $172 million to replace payment cards in the weeks after the breach, according to the Consumer Bankers Association.