Target vendor, Fazio Mechanical, confirms being victim of attack

Share this article:
The PII of up to 70 million individuals was also stolen, according to a Friday statement by Target.
Credentials stolen from Fazio Mechanical led to the Target breach.

Target announced last week that hackers were able to compromise its systems using credentials stolen from a third party vendor. On Wednesday, technology journalist Brian Krebs identified the vendor as Fazio Mechanical Services, a provider of refrigeration and HVAC systems.

In his report, Krebs sourced unnamed individuals close to the investigation and said he confirmed with Fazio Mechanical that the U.S. Secret Service had investigated the company with regard to the Target breach.

On Thursday, in an effort to clear up speculation, Ross Fazio, president and owner of Fazio Mechanical, released a written statement.

“Our data connection with Target was exclusively for electronic billing, contract submission and project management, and Target is the only customer for whom we manage these processes on a remote basis,” Fazio wrote, adding no other customers were impacted by the breach.

Fazio wrote that he could not speak regarding the ongoing investigation, but explained that Fazio Mechanical was the victim of a sophisticated attack, and added that the company is taking measures to enhance security so that a similar incident does not happen in the future.

“Fazio Mechanical does not perform remote monitoring of or control of heating, cooling and refrigeration systems for Target,” Fazio said, adding that the company IT system and security measures are in full compliance with industry practices.

Two researchers with Qualys noted that 55,000 HVAC systems are connected to the internet and contain basic security flaws, according to a statement emailed to on Thursday. At the time, this served as one explanation as to why Fazio Mechanical would be in possession of Target's credentials.

Molly Snyder, a Target spokeswoman, told on Thursday that the investigation is ongoing and further details are unavailable.

[An earlier version of this story was updated following a Thursday release by Fazio Mechanical Services]. 

Share this article:

Sign up to our newsletters

More in News

Facebook scam leads victims to Nuclear exploit kit

Researchers at Symantec say attackers are becoming more aggressive and using Facebook scams to exploit users' computers.

eBay faces class-action suit over breach

eBay faces class-action suit over breach

A suit filed in a federal court in Louisiana charges the company with failing to protect personal information and seeks damages on multiple counts.

Five schools earn NSA's excellence in cyber ops distinction

The schools earned NSA's Centers for Academic Excellence designation for their cyber offerings.