Here’s How Hackers Stole 110 Million Americans’ Data From Target

It appears to be among the biggest phishing catches of all time.

cybersecurity - hacker with credit card and black mask
National Journal
Feb. 12, 2014, 10:02 a.m.

More than 110 mil­lion Tar­get cus­tom­ers had their cred­it-card in­form­a­tion stolen be­cause at least one em­ploy­ee of a heat­ing and air-con­di­tion­ing con­tract­or suc­cumbed to an email phish­ing scheme, cy­ber­se­cur­ity blog­ger Bri­an Krebs re­por­ted Wed­nes­day.

The rev­el­a­tion, if true, is the strongest in­dic­a­tion yet of what went wrong since Krebs first ex­posed the massive heist of con­sumer fin­an­cial data at the na­tion­al re­tail gi­ant late last year, a start­ling cy­ber­at­tack that has promp­ted in­tense con­gres­sion­al in­quiry. Nei­man Mar­cus and oth­er chains have also re­cently been vic­tim­ized, though it is not be­lieved that the per­pet­rat­ors are the same.

Last week, Krebs re­por­ted that hack­ers in­filt­rated Tar­get’s net­work by swip­ing the lo­gin cre­den­tials of Fazio Mech­an­ic­al Ser­vices, a Pennsylvania-based con­tract­or.

Now, an­onym­ous sources tell Krebs that cre­den­tials “were stolen in an email mal­ware at­tack at Fazio that began at least two months be­fore thieves star­ted steal­ing card data from thou­sands of Tar­get cash re­gisters.” It ap­pears that the cul­prits used a pass­word-steal­ing bot known as Cit­adel to get the job done.

Fazio, in re­sponse to its sud­den no­tori­ety last week, sent out a state­ment ex­plain­ing that it had been “the vic­tim of a soph­ist­ic­ated cy­ber­at­tack op­er­a­tion.” But Krebs notes that the com­pany’s de­fense against ma­li­cious at­tacks was a free ver­sion of a some­what im­pot­ent anti-mal­ware pro­gram, which “is made ex­pli­citly for in­di­vidu­al users and its li­cense pro­hib­its cor­por­ate use.”

Mem­bers of Con­gress are call­ing for a bill to cre­ate a na­tion­al re­port­ing stand­ard for data breaches sim­il­ar to the one that hit Tar­get. Re­tail­ers and fin­an­cial in­sti­tu­tions would be re­quired to no­ti­fy gov­ern­ment and con­sumers of breaches when they oc­cur.

The new rev­el­a­tions ar­rive on a day when the White House rolled out a set of vol­un­tary guidelines in­ten­ded to help busi­nesses de­fend them­selves against hack­ers.

What We're Following See More »
ANOTHER DEADLINE COMES AND GOES
Mnuchin Tells Neal He Won't Comply with Subpoena for Trump Taxes
5 hours ago
THE LATEST
COURT FINDS FOR HOUSE OVERSIGHT COMMITTEE
Trump Cannot Block Subpoena of His Accounting Records
5 hours ago
THE LATEST
HE WAS SUBPOENAED
White House Will Tell McGahn Not to Testify
8 hours ago
THE LATEST
RECORDS HANDED OVER UNDER SUBPOENA
Prosecutors Poring Over Inauguration Documents
9 hours ago
THE LATEST
MASSACHUSETTS LAW HAD BEEN CHALLENGED
SCOTUS Says Businesses Can't Donate to Candidates
9 hours ago
THE DETAILS
×
×

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.

Login