An unknowing Pittsburgh heating and refrigeration business might have been used as a back door by hackers to steal millions of Target customers' credit and debit card numbers.
Investigators seem to be considering that theory and if they end up being right, it would highlight the vulnerability of big corporations that they themselves caused as they expand and connect their networks to other companies to foster efficiency.
The Fazio Mechanical Service Inc. said in a statement last Thursday that it fell victim to a "sophisticated cyberattack operation" just like the company it transacts with. It also stated their cooperation with the Secret Service and Target to find the culprit.
Internet security bloggers pointed to the company based in Sharpsburg, Pa. as the third-party vendor that served as the vessel through which the hackers accessed Target's system. It was followed by the installation of malicious software in its checkout system to acquire 40 million card numbers.
It was previously reported that Target suffered from a massive data breach that took place sometime between Nov. 27 and Dec. 15, wherein 110 million customers' data were stolen and sent to a server in Russia.The data breach has reportedly started with malware-infected point-of-sale (POS) terminals in the American retailing store By examining the malicious software, findings from two security companies revealed that Target's network was compromised for more than two weeks.
"Companies really have to look at the risks associated with that," Ken Stasiak said to the Associated Press. The CEO of SecureState, a firm that investigates data breaches, added that industry regulations make it compulsory for companies to segregate their information such as contracts and billing from the financial information of their customers.
The hackers needed to navigate through Target's network even further in order to reach the checkout system, Stasiak highlighted. This would mean that it wasn't a simple penetration that the hackers have employed to carry the act out.
An adviser for the security firm Sophos Chester Wisniewski said that while companies are expected to store their customers' information on separate storage, they are not required to place in a completely different network.
