Target Breach Investigation Shows Tangled Web of Third Party Risks

As more and more details surrounding the Target breach continue to unfold, it's becoming evident just how complicated it can be for investigators and journalists to follow the trail of evidence left behind. The latest reports suggest that one or more business partners were used by the attackers to gain access to Target's systems. Below is a summary of top stories which provide insight into the tangled web of third party vendors and suppliers which may have left Target vulnerable to attack, highlighting just how esstential it is for organizations to be aware of their third party risks.

Krebs on Security: New Clues in the Target Breach

Security journalist Brian Krebs reported on January 29 that the breach may have occurred through an IT Management Software the retailer (and several others) is running on its internal network. He cites Malcovery's CTO statement that "an SQL Injection attack resulted in malware being placed on the network and credit card or personal information being exfiltrated from the network."

WSJ: Target Hackers Used Stolen Vendor Credentials

Yesterday evening the WSJ also published details concerning the breach, pointing to the possibilty of a vendor's software being the source of the exploited vulnerability. Target spokeswoman Molly Snyder confirmed in the article that a vendor's credentials were stolen and used to access their systems, however she did not reveal which vendor was implicated or what systems were accessed. The article references an earlier statement by the WSJ that Target was investigating their HR software as well as a supplier's database platform.

Motivation for more comprehensive third party risk management?

This issue of third party risk is not limited to Target alone. Just this week, Bright Horizons announced that confidential data was compromised via a vulnerability on their payment processor's network, and Easton-Bell Sports announced its customers' personal information was exposed due to malware on a vendor's server. It is clear that organizations must do more to mitigate third party risk. Protecting the organization across the extended enterprise requires moving beyond a reliance on check-box compliance. Including more sophisticated, evidence-based measurement tools that can help alert organizations to new and emerging risks is a step towards a more mature and comprehensive risk strategy.