As more and more details surrounding the Target breach continue to unfold, it's becoming evident just how complicated it can be for investigators and journalists to follow the trail of evidence left behind. The latest reports suggest that one or more business partners were used by the attackers to gain access to Target's systems. Below is a summary of top stories which provide insight into the tangled web of third party vendors and suppliers which may have left Target vulnerable to attack, highlighting just how esstential it is for organizations to be aware of their third party risks.
Security journalist Brian Krebs reported on January 29 that the breach may have occurred through an IT Management Software the retailer (and several others) is running on its internal network. He cites Malcovery's CTO statement that "an SQL Injection attack resulted in malware being placed on the network and credit card or personal information being exfiltrated from the network."
Yesterday evening the WSJ also published details concerning the breach, pointing to the possibilty of a vendor's software being the source of the exploited vulnerability. Target spokeswoman Molly Snyder confirmed in the article that a vendor's credentials were stolen and used to access their systems, however she did not reveal which vendor was implicated or what systems were accessed. The article references an earlier statement by the WSJ that Target was investigating their HR software as well as a supplier's database platform.
This issue of third party risk is not limited to Target alone. Just this week, Bright Horizons announced that confidential data was compromised via a vulnerability on their payment processor's network, and Easton-Bell Sports announced its customers' personal information was exposed due to malware on a vendor's server. It is clear that organizations must do more to mitigate third party risk. Protecting the organization across the extended enterprise requires moving beyond a reliance on check-box compliance. Including more sophisticated, evidence-based measurement tools that can help alert organizations to new and emerging risks is a step towards a more mature and comprehensive risk strategy.
The retail sector has proven that when top minds put their heads together, they can make real headway against pernicious cyber threats. Case in point: the industry-wide adoption of EMV chip cards has played a role in reducing...
Retail operations, whether in-store or online, rely on a long chain of connections between third parties. When attackers target one of these third parties, they can wreak havoc on the supply chain, affecting business operations up and down...
The retail industry has always been a favorite target of cyber criminals. We all remember major data breaches like those that affected Target, TJX, and Home Depot — but the truth is that retail security threats have been a daily concern of...
© 2021 BitSight Technologies. All Rights Reserved. | Privacy Policy | Security | For Suppliers
Contact Us | BitSight Technologies | 111 Huntington Ave, Suite 2010, Boston, MA 02199 | +1-617-245-0469