Target traces security breach to stolen vendor credentials

The hackers who stole millions of credit card numbers from Target have been tracked back to electronic credentials stolen from a vendor.
Written by Charlie Osborne, Contributing Writer
Screen Shot 2014-01-30 at 09.50.54

Target's investigation of the massive security breach which allowed hackers to take millions of credit and debit card numbers has revealed a stolen vendor's credentials as a source of access.

Speaking to the Wall Street Journal, spokeswoman Molly Snyder confirmed that "ongoing forensic investigation has indicated that the intruder stole a vendor's credentials which were used to access our system."

While Target has not revealed how the credentials were stolen or which particular outlet was at fault, the firm did say the particular portal now has limited access to its computer systems while the investigation continues. Target's systems are accessible from a number of outlets and many different platforms could be at fault. For example, two systems -- a human resources website and supplier database -- had access restricted shortly after the attack was discovered, but Target said the hackers used a system which was not related to payment areas.

It is not yet known how the hackers moved from an unrelated platform to Target's point-of-sale devices.

Large firms usually have access to far more security-related resources than small vendors and firms that piggy-back on their systems -- whether as part of a supply chain or as a provider of third-party software. As a result, cybercriminals are known to break in to smaller systems with less protection in order to access larger, more lucrative networks. In this case, Target's networks were infiltrated through a third party, allowing the hackers to move through Target's systems to steal valuable credit card information.

The cyberattack, taking place from November 2013, lifted roughly 40 million credit and debit card records from the US. retailer, as well as approximately 70 million records containing information such as addresses and mobile numbers. While Target is working with the U.S. Secret Service and FBI to track down the culprits, the stolen data has been floating around black markets for weeks, according to a report on Krebs on Security.

The stolen data can be purchased as "dumps," data that can be used to clone debit and credit cards to use them in stores. If PIN codes are included within the data dumps, then criminals can also use the clones to take cash from bank accounts using ATMs.

Target is not the only recent high-profile target of data thieves. Last week, U.S. retailer Neiman Marcus Group admitted its own security breach, which resulted in the credit card scraping of 1.1 million customers. Malware on the company's systems was discovered on Jan. 1, and it is believed was able to collect payment card data from July 16 to Oct. 30 last year.

Editorial standards