Apparently the third-party vendor that exposed the Target network to the outside world was an IoT vendor, specifically a refrigeration/heating-ventilation and air-conditioning (HVAC) vendor.
In an exclusive story KrebsOnSecurity.com reports that the "attackers first broke into the retailer’s network on Nov. 15, 2013 using network credentials stolen from Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of refrigeration and HVAC systems."
Fazio president Ross Fazio confirmed to Krebs that the US Secret Service had visited his offices, but declined other questions. The company website lists specific locations for Trader Joe’s, Whole Foods and BJ’s Wholesale Club locations in Pennsylvania, Maryland, Ohio, Virginia and West Virginia as clients of its services.
Target might have allowed an HVAC vendor remote access to its network to report fluctuations in store temperature which might affect how long a customer stayed within a given store. However, it is mystery why the point of sale system was not segmented from the rest of the Target network. In other words, if someone could exploit a vulnerability in an industrial control system, why was it possible for them to leverage that to gain access to the point of sale system.
Target may be subject to fines for violating payment card industry data security standards (PCI DSS). However, the current PCI DSS v3.0 states "Network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of an entity’s network is not a PCI DSS requirement." The scope requirements section goes on to say "Without adequate network segmentation (sometimes called a "flat network") the entire network is in scope of the PCI DSS assessment. Network segmentation can be achieved through a number of physical or logical means, such as properly configured internal network fire walls, routers with strong access control lists, or other technologies that restrict access to a particular segment of a network."
Target declined to comment directly on Krebs' report.