Peter A Clarke

Data security is a key issue in the regulation of privacy.  Security from hacking is the prominant issue for web sites.  Direct attacks can be difficult to protect against but not as complex as third party access.  In Contractor creds used in Target hack itnews reports that the massive breach of Target’s data occured because of stolen log credentials of a third party, an air conditioning contractor.  Net result a loss of records of 110 customer payment cards and personal records.  This poses a dilema for large organisations which use third parties, often smaller operations with less sophistacted IT system and protection.  The changes to the Privacy Act in March requires organisations to maintain adequate security.  Take reasonable steps in fact. If an organisation is concerned about the security of its contractors it will have to take steps to restrict their access to its site or require the contractors to upgrade their security.  The consequences of a Target like breach can be reputationally disasterous but the attention of the Privacy Commissioner with new and enhanced powers may turn damage into disaster.

The article provides:

The massive breach of Target retail stores was achieved using stolen log credentials from a third-party air conditioning contractor, according to a report.

More than 110 million customer payment cards and personal records were stolen from US Target stores as early as November last year in a sophisticated raid targeting point of sale systems.

Hackers deployed what is thought to be the BlackPoS RAM-scraping malware between November 15 and 28 to steal cleartext payment details while in an unencrypted state.

To gain entry into the Target network, hackers used login credentials stolen from Fazio Mechanical Services, which had installed heating, ventilation and air conditioning (HVAC) in Target stores and other retailers, according to KrebsonSecurity.

Hackers uploaded their malware in a live test in which customer payment details were scraped and shipped to servers in the US and Brazil.

Those same servers were reportedly used as drops for the 70 million credit and debit cards stolen from Target. US law enforcement were attempting to gain access to the servers in Brazil.

Contractors were often given remote access to retail corporate networks in order to monitor energy usage, store temperature and networking issues, KrebsonSecurity reported.

Breaches involving compromised third party organisations are common since partners and contractors are often easier to hack than a targeted well-resourced organisation. Such organisations may provide third parties with excessive access rights under an environment with reduced security controls and monitoring.

That may go some way to explain why Target executives admitted they were unaware of the breach and that their systems failed to detect the intrusion.

Melbourne-based IPSEC director of operations Ben Robson said organisations need to increase scrutiny of third parties with access to corporate networks.

“In this case they needed proper logging, audit trail and packet capture,” Robson said.

“Organisations need to … let contractors know in no uncertain terms that they are monitoring them.”

Tools such as intrusion prevention systems can help flag suspicious third-party behaviour for further forensics analysis. Packet capture and logging should be exported to a server that third parties cannot access.

Robson advised physical oversight should be maintained where possible because contractors could easily and innocently set up unauthorised devices to access a corporate network which could serve as a backdoor for attackers.

In May last year, blueprints for the new headquarters of the Australian Security and Intelligence Organisation (ASIO) were stolen by alleged Chinese hackers who raided a contractor working on the site.

Target said this week it would accelerate plans for a $100 million upgrade to deploy chip-and-pin enabled payment cards and readers which were set for mandatory use in Australia this year.