What I Learned About Cybercrime Last Week… Beware of the Air Conditioner Man!

Although it was not a surprising result KrebsonSecurity reported that the hackers who broke into Target used the network credentials of the HVAC contractor. Like most retailers when we see the HVAC contractor or other maintenance people in the building, we get out of the way and let them do their job with a minimum of supervision. I can understand in this interconnected world that the HVAC  contractor and Target want to know immediately if the HVAC equipment has malfunctioned. I am surprised that the HVAC equipment evidently used the same network as the POS terminals. As a person who fills out the annual PCI questionnaire there are a lot of questions about segregating and securing credit card data. Giving network credentials to the HVAC contractor kind of defeats the goal of segregating the credit card data from non-essential personnel. It does make you wonder what the security folks at www.healthcare.gov are doing. As far as I can tell the web site security questions are still unanswered. It make me wonder what they have done and what still needs to be completed. Is there anything the www.healthcare.gov security folks can learn from the Target incident?  If you believe that the exchange should be operating more like a business than an inept government program, this would be a good time to for the Affordable Care Act management to be more proactive and tell the public how secure their personal data is at  www.healthcare.gov. Hmm… It’s beginning to look like another missed opportunity.