Target Breach Investigation Shows Tangled Web of Third Party Risks

Melissa Stevens | January 30, 2014 | tag: Retail

Target-Third-Party-BreachAs more and more details surrounding the Target breach continue to unfold, it's becoming evident just how complicated it can be for investigators and journalists to follow the trail of evidence left behind. The latest reports suggest that one or more business partners were used by the attackers to gain access to Target's systems. Below is a summary of top stories which provide insight into the tangled web of third party vendors and suppliers which may have left Target vulnerable to attack, highlighting just how esstential it is for organizations to be aware of their third party risks.

Krebs on Security: New Clues in the Target Breach

Security journalist Brian Krebs reported on January 29 that the breach may have occurred through an IT Management Software the retailer (and several others) is running on its internal network. He cites Malcovery's CTO statement that "an SQL Injection attack resulted in malware being placed on the network and credit card or personal information being exfiltrated from the network."   

WSJ: Target Hackers Used Stolen Vendor Credentials

Yesterday evening the WSJ also published details concerning the breach, pointing to the possibilty of a vendor's software being the source of the exploited vulnerability. Target spokeswoman Molly Snyder confirmed in the article that a vendor's credentials were stolen and used to access their systems, however she did not reveal which vendor was implicated or what systems were accessed. The article references an earlier statement by the WSJ that Target was investigating their HR software as well as a supplier's database platform. 

Motivation for more comprehensive third party risk management?

This issue of third party risk is not limited to Target alone. Just this week, Bright Horizons announced that confidential data was compromised via a vulnerability on their payment processor's network, and Easton-Bell Sports announced its customers' personal information was exposed due to malware on a vendor's server. It is clear that organizations must do more to mitigate third party risk. Protecting the organization across the extended enterprise requires moving beyond a reliance on check-box compliance. Including more sophisticated, evidence-based measurement tools that can help alert organizations to new and emerging risks is a step towards a more mature and comprehensive risk strategy.

Suggested Posts

5 Crucial Strategies for Improving Retail Network Security

The retail sector has proven that when top minds put their heads together, they can make real headway against pernicious cyber threats. Case in point: the industry-wide adoption of EMV  chip cards has played a role in reducing...


3 Surprising Ways Supply Chain Cybersecurity Can Impact Retailers

Retail operations, whether in-store or online, rely on a long chain of connections between third parties. When attackers target one of these third parties, they can wreak havoc on the supply chain, affecting business operations up and...


4 Common Retail Security Threats (and How to Stop Them)

The retail industry has always been a favorite target of cyber criminals. We all remember major data breaches like those that affected Target, TJX, and Home Depot — but the truth is that retail security threats have been a daily concern...


Get the Weekly Cybersecurity Newsletter.