Here’s How Hackers Stole 110 Million Americans’ Data From Target

It appears to be among the biggest phishing catches of all time.

cybersecurity - hacker with credit card and black mask
National Journal
Dustin Volz
Add to Briefcase
Dustin Volz
Feb. 12, 2014, 10:02 a.m.

More than 110 mil­lion Tar­get cus­tom­ers had their cred­it-card in­form­a­tion stolen be­cause at least one em­ploy­ee of a heat­ing and air-con­di­tion­ing con­tract­or suc­cumbed to an email phish­ing scheme, cy­ber­se­cur­ity blog­ger Bri­an Krebs re­por­ted Wed­nes­day.

The rev­el­a­tion, if true, is the strongest in­dic­a­tion yet of what went wrong since Krebs first ex­posed the massive heist of con­sumer fin­an­cial data at the na­tion­al re­tail gi­ant late last year, a start­ling cy­ber­at­tack that has promp­ted in­tense con­gres­sion­al in­quiry. Nei­man Mar­cus and oth­er chains have also re­cently been vic­tim­ized, though it is not be­lieved that the per­pet­rat­ors are the same.

Last week, Krebs re­por­ted that hack­ers in­filt­rated Tar­get’s net­work by swip­ing the lo­gin cre­den­tials of Fazio Mech­an­ic­al Ser­vices, a Pennsylvania-based con­tract­or.

Now, an­onym­ous sources tell Krebs that cre­den­tials “were stolen in an email mal­ware at­tack at Fazio that began at least two months be­fore thieves star­ted steal­ing card data from thou­sands of Tar­get cash re­gisters.” It ap­pears that the cul­prits used a pass­word-steal­ing bot known as Cit­adel to get the job done.

Fazio, in re­sponse to its sud­den no­tori­ety last week, sent out a state­ment ex­plain­ing that it had been “the vic­tim of a soph­ist­ic­ated cy­ber­at­tack op­er­a­tion.” But Krebs notes that the com­pany’s de­fense against ma­li­cious at­tacks was a free ver­sion of a some­what im­pot­ent anti-mal­ware pro­gram, which “is made ex­pli­citly for in­di­vidu­al users and its li­cense pro­hib­its cor­por­ate use.”

Mem­bers of Con­gress are call­ing for a bill to cre­ate a na­tion­al re­port­ing stand­ard for data breaches sim­il­ar to the one that hit Tar­get. Re­tail­ers and fin­an­cial in­sti­tu­tions would be re­quired to no­ti­fy gov­ern­ment and con­sumers of breaches when they oc­cur.

The new rev­el­a­tions ar­rive on a day when the White House rolled out a set of vol­un­tary guidelines in­ten­ded to help busi­nesses de­fend them­selves against hack­ers.

What We're Following See More »
FCC Tightens Internet Privacy Standards
5 hours ago

Along party lines, the Federal Communications Commission on Thursday voted to tighten privacy standards for Internet service providers. "The regulations will require providers to receive explicit customer consent before using an individual’s web browsing or app usage history for marketing purposes. The broadband industry fought to keep that obligation out of the rules."

Obama Commutes Another 98 Sentences
6 hours ago

President Obama commuted the sentences of another 98 drug offenders on Thursday. Most of the convicts were charged with conspiracy to distribute drugs or possession with intent to distribute. Many of the sentences were commuted to expire next year, but some will run longer. Others are required to enroll in residential drug treatment as a condition of their release.

DOJ Busts More Than 50 for Call Center Scam
6 hours ago

The Department of Justice announced today it's charged "61 individuals and entities for their alleged involvement in a transnational criminal organization that has victimized tens of thousands of persons in the United States through fraudulent schemes that have resulted in hundreds of millions of dollars in losses. In connection with the scheme, 20 individuals were arrested today in the United States and 32 individuals and five call centers in India were charged for their alleged involvement. An additional U.S.-based defendant is currently in the custody of immigration authorities."

Johnson on Ballot Everywhere, Followed by Stein, McMullin
8 hours ago
Is McMullin Building the GOP in Exile?
10 hours ago

Evan McMullin, the independent conservative candidate who may win his home state of Utah, is quietly planning to turn his candidacy into a broader movement for principled conservatism. He tells BuzzFeed he's "skeptical" that the Republican party can reform itself "within a generation" and that the party's internal "disease" can't be cured via "the existing infrastructure.” The ex-CIA employee and Capitol Hill staffer says, “I have seen and worked with a lot of very courageous people in my time [but] I have seen a remarkable display of cowardice over the last couple of months in our leaders.” McMullin's team has assembled organizations in the 11 states where he's on the ballot, and adviser Rick Wilson says "there’s actually a very vibrant market for our message in the urban northeast and in parts of the south."


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.