According to Brian Krebs, a blogger on security issues, the hackers that broke into Target’s computer network and stole millions of credit and debit card numbers gained access through the network credentials of an HVACR contractor.
Krebs reported that sources involved in the investigation identified Fazio Mechanical Services, a provider of HVAC and refrigeration services located in Sharpsburg, Pa., as the firm whose credentials were stolen in order to gain access to Target’s customer data.
As to why Fazio Mechanical Services had network access, one cybersecurity expert speculated to Krebs that it is common for large retailers to have a vendor that “monitors energy consumption and temperatures” in order to reduce costs.
However, Ross E. Fazio, president and owner of Fazio Mechanical Services, released a statement on the Target data breach, saying:
“Fazio Mechanical Services Inc. places paramount importance on assuring the security of confidential customer data and information. While we cannot comment on the ongoing federal investigation into the technical causes of the breach, we want to clarify important facts relating to this matter:
• Fazio Mechanical does not perform remote monitoring or control of heating, cooling, or refrigeration systems for Target.
• Our data connection with Target was exclusively for electronic billing, contract submission, and project management, and Target is the only customer for whom we manage these processes on a remote basis. No other customers have been affected by the breach.
• Our IT system and security measures are in full compliance with industry practices.
• Fazio Mechanical is not the subject of the federal investigation.
“Like Target, we are a victim of a sophisticated cyber attack operation. We are fully cooperating with the Secret Service and Target to identify the possible cause of the breach and to help create proactive remedies to enhance the security of client/vendor connections to make them less vulnerable to future breaches.”
Publication date: 2/10/2014