Hacking the “Big Boys”—Small Businesses Become Pawns

By the DynaSis Team

As if it wasn’t bad enough that cybercriminals are targeting small and midsized businesses (SMBs) for their internal corporate data, attackers have discovered another reason to “love” SMBs. Smaller companies often have far less sophisticated security defenses against cybercrime than larger enterprises. For an attacker seeking to steal and sell millions of personal data records, according to top Internet security companies, the easiest way to breach a large retailer is often by sneaking past the defenses of one of its smaller vendors.

That’s exactly what happened with the mammoth Target data breach, where the personally identifiable information (PII) of 70 million shoppers were stolen along with 40 million credit card numbers. The world has heard how serious it was, and those of us who followed the story may have learned how much the breach has cost Target, so far, in settlements alone. (If you haven’t heard, the combined settlement amounts as of December 2015 were approximately $116 million.)

What you may not know is that Target was hit, not directly through a security hole in its own defenses, but through a third-party vendor whose network credentials were stolen by the attackers. Specifically, attackers targeted Fazio Mechanical Services, Inc., a refrigeration and HVAC systems subcontractor of Target and other retailers.

An article in CIO.com broke down the attack, which the author believes required 11 specific steps, the first of which was to infect Fazio with Citadel malware using an email phishing campaign. From there, the attackers used the stolen credentials to gain access to Target-hosted web services dedicated to vendors, and the penetration was well on its way.

After news of its role broke, Fazio President and Owner Ross E. Fazio announced in a statement, “Our IT system and security measures are in full compliance with industry practices.” Apparently, being in full compliance wasn’t enough, but Fazio’s security wasn’t the only problem. As security experts point out, Target should have used more stringent network access protection with its vendors. Nevertheless, Fazio will forever be connected with one of the world’s largest (at the time) data breaches.

The litigation landscape surrounding data breaches and financial liability is still evolving, especially for peripheral firms like Fazio that are implicated in an incident. What is clear to us is that no company wants its name associated with such an event, with or without financial liability. Furthermore, if a firm has an association with a bigger fish, it could also become the “bycatch” of a breach if attackers decide that the smaller firm’s data is worth stealing, too.

In our opinion, this episode adds to the already overwhelming evidence that even the smallest SMB can no longer afford to take security lightly when it comes to defending against hackers.

About DynaSis

DynaSis has been providing managed IT support services to Metro Atlanta’s small to midsized businesses since 1992. We provide Availability – making sure your network is up and running; Mobility – allowing your employees world-wide access to your network; and Security – as an internet security company, we resolve “issues” before they grow into problems. If you want to learn more, please visit www.DynaSis.com, or call us at 678.218.1769.