Hackers may have used US firm on Target

THE hackers who stole millions of customers' credit and debit card numbers from Target might have used a heating and refrigeration business as the back door to get in.
If that was how they pulled it off - and investigators appear to be looking at that theory - it illustrates how vulnerable big corporations have become as they connect their computer networks to other companies to increase convenience and productivity.
Fazio Mechanical Services Inc, a contractor that does business with Target, said on Thursday it was the victim of a "sophisticated cyberattack operation", just as Target was.
It said it was co-operating with the Secret Service and Target to figure out what happened.
The statement came days after internet security bloggers identified the Sharpsburg, Pennsylvania, company as the vendor through which hackers penetrated Target's computer systems.
Once inside, the hackers installed malicious software in the company's checkout system for its estimated 1800 US stores.
Experts believe the thieves gained access during the busy holiday season to about 40 million debit and credit card numbers and the personal information of as many as 70 million customers.
Cybersecurity analysts had speculated that Fazio might have remotely monitored heating, cooling and refrigeration systems for Target, which could have provided a possible entry point for the hackers.
But Fazio denied that, saying it used its electronic connection with Target to submit bills and contract proposals.
The new details illustrate what can go wrong with the far-flung computer networks big companies increasingly rely on.
Chester Wisniewski, a senior security adviser for the computer security firm Sophos, said that while it might seem shocking that Target's systems were that connected, it was a lot cheaper for a company to manage one network rather than several.
He said he was surprised to hear the hackers might have entered via a billing system, saying those kinds of connections were supposed to provide extremely limited access to the other company's network.
As a result, while the hackers were clearly talented, it's obvious something went wrong on Target's end, he said.
"If normal practices were followed, they wouldn't have been able to get access," Wisniewski said.
Since Target disclosed the breach, banks, credit unions and other card companies have cancelled and reissued cards, closed accounts and refunded credit card holders for transactions made with the stolen data.