Target Hackers had no controls limiting their access to any system: Report

Following the data breach that exposed 40 million customer debit and credit card details, Target Corp. hired Verizon security experts to investigate its networks for loopholes. The evaluation by Verizon was conducted from December 21, 2013 to March 1, 2014.

Krebsonsecurity reports that the result of the confidential probe revealed that once the attackers were inside Target’s network, there was nothing to stop them from gaining complete access to every single cash register in every Target store.

Verizon found “no controls limiting their access to any system, including devices within stores such as point of sale (POS) registers and servers.”

The report also pointed out that Verizon consultants were able to directly communicate with point-of-sale registers and servers from the core network, for instance, after compromising a deli meat scale located in a different store, they were able to communicate directly with cash registers in checkout lanes.

The infiltrators first hacked Fazio Mechanical, a small heating and air conditioning firm in Pennsylvania that worked with Target, via malware delivered in an email. Following this the attackers were able to steal the virtual private network credentials that Fazio’s technicians used to remotely connect to Target’s network.

The report said, “Verizon and the Target Red Team exploited several vulnerabilities on the internal network, from an unauthenticated standpoint. The consultants were able to use this initial access to compromise additional systems. Information on these additional systems eventually led to Verizon gaining full access to the network — and all sensitive data stored at on network shares — through a domain administrator account."