The massive credit card and customer data breach that impacted the second-largest U.S. retailer Target, took on new dimensions this week. Business media is reporting that hackers gained initial access into Target’s internal systems through use of an unnamed vendor’s credentials.
A company statement indicates: “we can confirm that the ongoing forensic investigation has indicated that the intruder stole a vendor’s credentials which were used to access our system.”
The Wall Street Journal reported (paid subscription) that Target clamped down on access to two such vendor systems, a human resources website and a database for suppliers after discovering the attack. Hackers were somehow able to gain access to Target’s point-of-sale (POS) system to plant the suspected malware from these systems even though there was not a direct relationship. The malware further found its way to another system containing email addresses and phone numbers among 70 million customers.
The WSJ went on to report that the Federal Bureau of Investigation (FBI) issued an advisory to security experts and other retailers identifying 20 cyber attacks in the past year similar to the one that hit Target and warned that the threat is likely to grow. It reported that a version close to the one used in the Target breach became known to cybersecurity firms a year ago.
Target, like other retailers, has had a previous history of outsourcing its IT systems and select online commerce applications to third-party outsourcing and service providers firms as well although there is no current available information pointing to these systems as entry points.
The implications for this new awareness is the potential vulnerability of systems to compromised security when third-party IT vendors are part of the systems landscape. There is no doubt that IT organizations will re-visit and strengthen information security protocols and standards. That would include IT employees who walk out the door with systems login knowledge.
There are important ramifications for B2C and B2B customer fulfillment processes that involve third-party IT vendors in that retailers and consumer goods producers must be assured that information security remains a top priority and strict standards are being adhered.
Teams in these process areas should continue to monitor all of the available information stemming from both the Target and other data breach incidents.