Did cyberthieves attack Target contractor to get customers’ data?

Image of criminal

There’s no such thing as good news when it comes to discovering how huge security breaches happen. Cybercriminals are clearly getting more clever, more powerful and more dangerous. And now they’re going after your contractors as a way to get to your business.

That’s apparently the way cyberthieves found their way into megastore Target’s customer data and stole payment information from 40 million people, at least according to one report.

The website KrebsOnSecurity.com reported that cyberthieves sent “malware-laced” emails to employees of an HVAC contractor to Target. The attack allowed the thieves to steal Target n

etwork access information, and the rest is cybertheft history.

The question left hanging, however, is: how did the thieves know that the HVAC firm was a contractor to Target? Was that the game plan all along, or just a fortuitous discovery? No one knows, but it certainly raises an eyebrow.

According to the KrebsOnSecurity.com article:

“Many readers have questioned why the attackers would have picked on an HVAC firm as a conduit for hacking Target … But Target may have inadvertently made it easier for the attackers in this case, in part by leaving massive amounts of internal documentation for vendors on its various public-facing Web properties that do not require a login. Indeed, many of these documents would be a potential gold mine of information for an attacker.”

Not every company, of course, is so huge that it needs to implement online vendor portals. But the same problem could be playing out on a much smaller scale with many companies.

Many companies may keep contracts scattered across the organization, tucked way on (not very secure) local hard drives, on laptops, copied on flash drives, etc. Bits and pieces of information may be easily hacked via those users’ computers.

The damage may even go far beyond simply trying to steal credit card data, too. These days cyberthieves can be hired by anyone to go after key information – perhaps to turn over to your competitors or (yikes) other criminals.

The first step to protecting customer data is to ensure it’s located in a database, which then can be protected using the security tools your company deems as best. Indeed, without a process for controlling and centralizing contract data, your company could be “leaking” vital information found in contracts.

On this blog we’ve written before about the importance of thinking about contracts as truly sensitive material. See our recent blog on the topics here: Data breaches and contract data.

The central point is as important as ever: using a contract management solution such as Contract Assistant assures you can control and centralize all contract data. This is the critical first step to securing your contract documents, and without doing this first, your efforts may (or probably will) be in vain.

Unfortunately, this is probably not the last time we all will be reminded about the importance of keeping contract data out of the hands of cyberthieves. Let’s hope your organization tackles the issue head-on before it’s too late.


Photo Credit: Lanyap via Compfight cc

[About the author: Todd Hyten is a former business journalist who now writes about B2B topics and consults on content marketing. You can find him on Twitter and ]