Someone figured out how to get a Trojan into that system – so the conjecture goes. Working its way from the air conditioner through to the billing system was then only a matter of the diligence and technique of the hackers.
It isn’t only Target. See a probably much more gruesome story that is yet to reach the public eye: Hotel Franchise Firm White Lodging Investigates Breach — Krebs on Security. White Lodging is the hotel franchise group that we all know under the brands that include Hilton, Marriott, Sheraton and Westin.
From the Kreb’s Target article: Avivah Litan, a fraud analyst with Gartner, said that although the current PCI standard (PDF) does not require organizations to maintain separate networks for payment and non-payment operations (page 7), it does require merchants to incorporate two-factor authentication for remote network access originating from outside the network by personnel and all third parties — including vendor access for support or maintenance (see section 8.3).
The comments list other PCI violations. How familiar are you with this standard…or how secure is the structure of your internal walls.
Putting on my other hat as an equipment manufacturer, this conversation came up just a few days ago. It is typical for a company (you) to allow data into your system, but not so typical to let it out. It is up to you to make certain that all connections to your equipment and data server are necessary, vetted, secure, and monitored. The best way seems to be “on request” services, for example, a RESTful service with certificate authentication.
But don’t take our word for it; read up so that you can ask intelligent questions of your security personnel…and ironically, your service group.
And, good luck to us all.