Target vendor, Fazio Mechanical, confirms being victim of attack

Share this article:
The PII of up to 70 million individuals was also stolen, according to a Friday statement by Target.
Credentials stolen from Fazio Mechanical led to the Target breach.

Target announced last week that hackers were able to compromise its systems using credentials stolen from a third party vendor. On Wednesday, technology journalist Brian Krebs identified the vendor as Fazio Mechanical Services, a provider of refrigeration and HVAC systems.

In his report, Krebs sourced unnamed individuals close to the investigation and said he confirmed with Fazio Mechanical that the U.S. Secret Service had investigated the company with regard to the Target breach.

On Thursday, in an effort to clear up speculation, Ross Fazio, president and owner of Fazio Mechanical, released a written statement.

“Our data connection with Target was exclusively for electronic billing, contract submission and project management, and Target is the only customer for whom we manage these processes on a remote basis,” Fazio wrote, adding no other customers were impacted by the breach.

Fazio wrote that he could not speak regarding the ongoing investigation, but explained that Fazio Mechanical was the victim of a sophisticated attack, and added that the company is taking measures to enhance security so that a similar incident does not happen in the future.

“Fazio Mechanical does not perform remote monitoring of or control of heating, cooling and refrigeration systems for Target,” Fazio said, adding that the company IT system and security measures are in full compliance with industry practices.

Two researchers with Qualys noted that 55,000 HVAC systems are connected to the internet and contain basic security flaws, according to a statement emailed to SCMagazine.com on Thursday. At the time, this served as one explanation as to why Fazio Mechanical would be in possession of Target's credentials.

Molly Snyder, a Target spokeswoman, told SCMagazine.com on Thursday that the investigation is ongoing and further details are unavailable.

[An earlier version of this story was updated following a Thursday release by Fazio Mechanical Services]. 

Share this article:

Sign up to our newsletters

More in News

Latest Citadel trick allows RDP access after malware's removal

Latest Citadel trick allows RDP access after malware's ...

Trusteer, an IBM company, said the new Citadel configuration was detected this month.

Cryptoblocker variant emerges, encryption differs from CryptoLocker

Trend Micro has detected a variant of CryptoLocker in the wild that relies on the advanced encryption standard.

Jimmy John's sandwich chain investigating possible breach

Some financial institutions have indicated that credit cards recently used at Jimmy John's locations have been used to make fraudulent purchases.