The Target security breach that compromised the data of millions of Christmas shoppers could be traced to the cybertheft of information from a Sharpsburg-based heating, air conditioning and refrigeration company.
Fazio Mechanical Services Inc. confirmed in an online statement (.PDF) Thursday that it is involved in an ongoing federal investigation surrounding the Target breach, saying it was a victim of a "sophisticated cyber attack operation," and that it was cooperating with the retailer and the U.S. Secret Service.
"Fazio Mechanical Services Inc. places paramount importance on assuring the security of confidential customer data and information," according to the statement from Ross E. Fazio, president and owner of the company.
The company's connection to the cyberattack was revealed when sources close to the investigation told Brian Krebs, of technology security blog Krebson Security , that hackers used network credentials stolen from Fazio to break into Target's network.
The Pittsburgh-area connection marks the latest twist in a story that began during the holiday season when Target confirmed reports that about 40 million accounts may have been impacted during a period that began just before the big Thanksgiving shopping weekend and lasted through mid-December. In January, the retailer went on to disclose that other information involving up to 70 million individuals also was taken.
In the weeks since the original breach was disclosed, other retailers have discovered problems. Both Target and Neiman Marcus sent executives to testify this week before a Senate committee about the issue of data security. Target chief financial officer John Mulligan said his company will speed up use of smart card technology meant to make it harder to use stolen credit card information.
A Target spokeswoman declined to comment on Thursday about the Fazio connection, citing the ongoing investigation. U.S. Secret Service spokesman Brian Leary confirmed an investigation is underway but declined to elaborate on its status.
One of the missions of the Secret Service, according to its website, is "to safeguard the nation's financial infrastructure and payment systems to preserve the integrity of the economy." In this case, the agency is looking into whether a cyberattack involving Fazio is related to the Target breach.
In the online statement, Mr. Fazio said the company is not responsible for remote monitoring of cooling, heating or refrigeration for Target. He said the company's data connection was "exclusively for electronic billing, contract submission and project management."
Mr. Fazio said the breach hasn't affected any of the company's other clients and said that Fazio's computer system and security measures are in line with industry best practices.
"Like Target, we are a victim of a sophisticated cyber attack operation. We are fully cooperating with the Secret Service and Target to identify the possible cause of the breach and to help create proactive initiatives that will further enhance the security of client/vendor connections making them less vulnerable to future breaches," the statement reads.
No parties involved in the investigation have discussed specifically how the breach occurred, but Mr. Krebs said it is likely a hack was triggered by a Fazio employee clicking a link that downloaded malicious software to the company's network.
From that point, all saved passwords, including passwords used to access Target's network, would have been available to hackers. But even with such an attack, it is still unclear how hackers would be able to access Target's payment system network, Mr. Krebs said.
The next step, he said, will be for the Secret Service to go back into Target's Web logs and records to find exactly how hackers were able to find their way into the payment portal.
Since this a criminal investigation, it could be a while before the public knows the full story behind what went wrong.
"In the end, it's going to be up to Target to disclose how the breach went down," Mr. Krebs said.
Deborah M. Todd: firstname.lastname@example.org or 412-263-1652. Teresa Lindeman: email@example.com or 412-263-2018
First Published February 6, 2014 4:47 PM