Ariba caught some negative press last week in a blog speculating that the procurement and supplier management vendor might have been at the front-end to the broader criminal credit card hack and massive theft at Target. In the post, security expert Brian Krebs suggests the following about the attack:
“… [It] appears to have begun with a malware-laced email phishing attack sent to employees at an HVAC firm that did business with the nationwide retailer, according to sources close to the investigation … investigators believe the source of the Target intrusion traces back to network credentials that Target had issued to Fazio Mechanical, a heating, air conditioning and refrigeration firm in Sharpsburg, Pa. Multiple sources close to the investigation now tell this reporter that those credentials were stolen in an email malware attack at Fazio … The company did not specify which component(s) of Target’s online operations that Fazio accessed externally, but a former employee at Target said nearly all Target contractors access an external billing system called Ariba…”
The post goes on to cite a “former member of Target’s security team” who explains, “When a work order for an external vendor is created, the payment is collected through the Ariba system: Vendors log into Ariba, complete the necessary steps to close out the work order and they are later paid.”
The accusation and explanation is a curious one. Over the weekend, we spent some time trying to understand the situation in more detail, including the Ariba SaaS/cloud P2P and network architectures, security and authentication environments, and data flows – as well as the differences in on-premise implementations (Target is SaaS).
The bottom line is that we don’t believe Ariba is to blame in this case. We’ll save the details for our members if you’d like to read a more detailed analysis.
“Andale, andale … Speedy, get that cheese but leave the Amex data behind!”