The theft of credit card and personal data from more than 110 million Target Corp. customers was apparently the result of a phishing email sent to employees at an HVAC with a new contract with the retailer, Brian Krebs reports.
The email phishing expedition went through Fazio Mechanical, two months or more before the Target breach happened.
Investigators say that Fazio’s use of the free version of Malwarebytes Anti-Malware may have made it easier for thieves, and Target made the breach more effective by allowing so much of its data to be accessed on its servers.
It’s no doubt true that American retailers are long overdue for adoption of safer “chip and PIN” technology to thwart data thieves at the point-of-sale. But as investigators dig deeper into the Target breach, it’s becoming clear that, had existing protections and proper protocols been appropriately used, the breach may never have happened. This may be another way of saying that whatever systems are adopted need to be “idiot-proof.” But, to be kind, anyone in charge of data protection must always keep in mind that shortcuts and penny-pinching can too easily lead to disaster-prone human error.