Who would have thought that a small HVAC company would provide the key to the biggest retail hack in US history?
The answer is… the hacker of course.
When the retail giant Target was hacked it exposed credit card and personal data on more than 110 million consumers, and the tactics used will shock and alarm all business owners. Here’s why…
Size does not matter.
Smaller businesses may not think they are a target. They may even feel that they don’t have anything of value on their network. However, hackers are creative and even if they can’t access any customer or financial data directly from your network, cybercriminals can use your system in many creative ways once they gain access.
You will see how this works when you look at what happened with the Target data breach in which smaller unsuspecting businesses played key roles in the cybercriminal’s scheme.
Trying to directly hack into Target’s network would have been difficult, so the hackers used a different approach. Looking for a weak link, they penetrated one of Target’s vendors and gained access into Target’s system through them.
The vendor was a relatively small HVAC company and this enormous heist started with malicious email sent to one of their employees. Think about that for a moment.
The business owner did have some basic anti-virus software in place, but probably never thought hackers would try to get into his system. He certainly would not want to jeopardize a major account like Target, but in the end even Target’s CEO resigned due to fall out from the breach.
In an official statement on the HVAC company’s website the President and Owner Ross Fazio states:
“Like Target, we are a victim of a sophisticated cyber attack operation. We are fully cooperating with the Secret Service and Target to identify the possible cause of the breach and to help create proactive remedies to enhance the security of client/vendor connections make them less vulnerable to future breaches”
I can’t help but to feel bad for him. Businesses today are becoming more and more interconnected. Technology is a requirement and most small businesses don’t understand the security risks involved.
All this trouble because of an email, but it didn’t stop there. The crooks also hacked into a number of additional businesses in order to cover their tracks.
Similar to a major heist in the real world, these criminals needed a place to stash the loot until things cooled off, so they hacked into several other servers and stashed the stolen data there.
These are referred to as “Drop Spots” and consisted of computers in the United States and elsewhere that housed the stolen data until the cybercriminals could access it without the risk of getting caught. This victimized many more unsuspecting business owners who did not even know their system had been breached.
Research shows that 31% of all cyber attacks targeted businesses with fewer than 250 employees and smaller organizations incur a per capita cost that is over 400% higher than larger organizations due to cyber attacks.
So what is the big lesson here?
Don’t risk fines, litigation and higher customer attrition. Take cybersecurity seriously and make sure you are protected.