Target and PCI Compliance
Krebs on Security is reporting today that the Target breach was perpetrated by their HVAC contractors:
Last week, Target told reporters at The Wall Street Journal and Reuters that the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. Sources now tell KrebsOnSecurity that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers.
If this is the case, this is a humongous PCI compliance failure. PCI requires strict controls on who can access card holder data and I’m pretty sure HVAC contractors do not have a legitimate “need to know.”
It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network.
Um, yeah. The security team at Target should not have permitted this kind of access, and even if they messed up (they are only human), the auditors should have caught it. A tier-1 operation like Target requires an annual audit and those auditors certainly should have flagged the oversight by the security team.
Maybe the attack is more sophisticated and was able to jump from the network that controls heating and cooling (where the HVAC guys should be able to go) to the payment system network in an, as yet unseen, way. However, if there was ever a place where network segregation should be near impossible to cross, that is the place.