Target vendor, Fazio Mechanical, confirms being victim of attack

Share this article:
The PII of up to 70 million individuals was also stolen, according to a Friday statement by Target.
Credentials stolen from Fazio Mechanical led to the Target breach.

Target announced last week that hackers were able to compromise its systems using credentials stolen from a third party vendor. On Wednesday, technology journalist Brian Krebs identified the vendor as Fazio Mechanical Services, a provider of refrigeration and HVAC systems.

In his report, Krebs sourced unnamed individuals close to the investigation and said he confirmed with Fazio Mechanical that the U.S. Secret Service had investigated the company with regard to the Target breach.

On Thursday, in an effort to clear up speculation, Ross Fazio, president and owner of Fazio Mechanical, released a written statement.

“Our data connection with Target was exclusively for electronic billing, contract submission and project management, and Target is the only customer for whom we manage these processes on a remote basis,” Fazio wrote, adding no other customers were impacted by the breach.

Fazio wrote that he could not speak regarding the ongoing investigation, but explained that Fazio Mechanical was the victim of a sophisticated attack, and added that the company is taking measures to enhance security so that a similar incident does not happen in the future.

“Fazio Mechanical does not perform remote monitoring of or control of heating, cooling and refrigeration systems for Target,” Fazio said, adding that the company IT system and security measures are in full compliance with industry practices.

Two researchers with Qualys noted that 55,000 HVAC systems are connected to the internet and contain basic security flaws, according to a statement emailed to on Thursday. At the time, this served as one explanation as to why Fazio Mechanical would be in possession of Target's credentials.

Molly Snyder, a Target spokeswoman, told on Thursday that the investigation is ongoing and further details are unavailable.

[An earlier version of this story was updated following a Thursday release by Fazio Mechanical Services]. 

Share this article:

Sign up to our newsletters

More in News

Incapsula mitigates multi-vector DDoS attack lasting longer than a month

Incapsula mitigates multi-vector DDoS attack lasting longer than ...

Incapsula's scrubbing servers were able to filter out more than 50 petabits of malicious DDoS traffic aimed at a video game company for longer than a month.

UPS announces breach impacting 51 U.S. locations

The shipping and printing provider said malware has been present on some stores' computer systems since mid-January.

'Machete' espionage campaign targets orgs in Venezuela, Ecuador

The campaign targets Spanish speaking victims, which also appears to be the native language of attackers.