The HVAC Account, Target, and the Real World
It is true that the HVAC account used to infiltrate Target should never have had access to the POS systems. But it did, and that was an IT mistake. However, some of the comments about the HVAC account having "read-only" access and so on indicate a lack of awareness of what really goes on. Vendors that install and maintain building systems such as HVAC, card readers for entry and the like own those systems, and IT's access to them is either non-existent or minimal. The vendors' concerns about security are also usually nonexistent. I have seen building control systems that have "admin" as the user and the company name as the password for years, and through the careers of multiple technicians. The systems in many (if not all) of the other buildings maintained by these vendors had the same exact credentials. The passwords were never changed when technicians left, no matter what the circumstances of that separation. Of course, IT could not get enforcement power over the vendors because of the siloed nature of the organizations. There are thousands of breaches waiting to happen.