Investigators say they believe they have identified the entry point through which hackers got into Target’s systems, zeroing in on the remote access granted through the retailer’s computerized heating and cooling software, according to two people briefed on the inquiry.
Brian Krebs, a security blogger who first reported the Target breach, was also the first on Wednesday to identify the vendor whose remote access had been compromised. But investigators would not confirm the vendor’s identity. Security experts say that it is common for heating, ventilation and air-conditioning companies — so-called HVAC companies — to be granted network access to clients so that they can monitor retail stores and diagnose problems remotely.
“Remote access to these systems is really common and integrators are almost always on the corporate network,” said Billy Rios, director of threat intelligence at Qualys, a cloud security firm. Mr. Rios said that the security at such companies tended to be poor and that vendors often used the same password across multiple customers.