Dialing Congress: Target Offers Updates on Security Breach

Source: Kevin Dooley / Flickr

Target (NYSE:TGT) offered a fresh batch of news this week on its large-scale security breach in which some 40 million credit and debit card records plus personal information of 70 million customers were stolen. The retailer has committed to keeping consumers and investors updated on the most recent findings in its ongoing investigation into the breach, and Target has stuck to its promise, sharing any good news — and even the bad.

The first new piece of information came on Wednesday when Target said that the cyber criminals who breached its system used credentials they stole from one of the retailer’s vendors, as reported by Reuters. Target spokesperson Molly Snyder explained in a statement, “The ongoing forensic investigation has indicated that the intruder stole a vendor’s credentials, which were used to access our system.”

That statement came about two weeks after journalist Brian Krebs, the man behind the security industry blog Krebs on Security, reported that the popular management software enlisted by Target was to blame for the compromise of 40 million payment cards belonging to people who recently shopped at the retailer. According to Ars TechnicaKrebs said that malware that infected Target’s point-of-sale terminals was able to log in to a control server inside the Target network by using the account name “Best1_user” and the password “BackupU$r.” The malware functioned by taking payment card data drawn from the terminals used in checkout lines so it could then be periodically downloaded to a difference service for permanent storage.

Krebs then offered an update to his findings Wednesday, and placed blame on the widely used server management program, BMC Software, for allowing the hack to happen. Krebs explained, “That “Best1_user” account name seems an odd one for the attackers to have picked at random, but there is a better explanation: That username is the same one that gets installed with an IT management software suite called Performance Assurance for Microsoft Servers. This product, according to its maker — Houston, Texas based BMC Software — includes administrator-level user account called Best1_user.”

Krebs asked BMC if “BackupU$r” is the password that controls access to the “Best1_user” account, and company representatives didn’t provide an answer. But Ars Technica reports that about 24 hours after Krebs reported his findings, BMC issued a statement of its own that said in part, “BMC has confirmed that the password mentioned in the press is not a BMC-generated password. At this point, there is nothing to suggest that BMC BladeLogic or BMC Performance Assurance has a security flaw or was compromised as part of this attack.”

It is still unclear which party is telling the truth in this situation, but even Dell SecureWorks recognized similar findings that Krebs uncovered and shared this in a report that it distributed to customers earlier this week. Dell SecureWorks researchers wrote, “The Best1_user account appears to be associated with the Performance Assurance component of BMC’s Software’s Patrol product. According to BMC’s documentation, this account is normally restricted, but the attackers may have usurped control to facilitate lateral movement within the network.”

In addition, Reuters reported that earlier this week on Thursday, a Target representative briefed Congressional investigators by telephone about fresh details the retailer covered from continuing law enforcement investigations. Isaac Reyes, an official with Target’s government relations department, told officials from the House of Representatives Oversight Committee that the U.S. Justice Department had informed Target about the breach on December 12 of last year. He didn’t say if the retailer itself had learned of the problem earlier. According to Reuters, he also told investigators the company believed it had met every one of the requirements set in state laws and regulations regarding the disclosure of said data breaches to authorities and consumers.

Although there currently is no federal law or regulation as to when consumers and law enforcement agencies must be notified of serious data breaches, Congress has been considering legislation and is now looking at it even more seriously. Reuters reports that Reyes showed a willingness to turn over documents regarding the breach to Congressional investigators, but some investigators still harbor doubt that Target will hand in much revealing material. Target will appear at Congressional hearings next week.