Target announced last week that hackers were able to compromise its systems using credentials stolen from a third party vendor. On Wednesday, technology journalist Brian Krebs identified the vendor as Fazio Mechanical Services, a provider of refrigeration and HVAC systems.
In his report, Krebs sourced unnamed individuals close to the investigation and said he confirmed with Fazio Mechanical that the U.S. Secret Service had investigated the company with regard to the Target breach.
On Thursday, in an effort to clear up speculation, Ross Fazio, president and owner of Fazio Mechanical, released a written statement.
“Our data connection with Target was exclusively for electronic billing, contract submission and project management, and Target is the only customer for whom we manage these processes on a remote basis,” Fazio wrote, adding no other customers were impacted by the breach.
Fazio wrote that he could not speak regarding the ongoing investigation, but explained that Fazio Mechanical was the victim of a sophisticated attack, and added that the company is taking measures to enhance security so that a similar incident does not happen in the future.
“Fazio Mechanical does not perform remote monitoring of or control of heating, cooling and refrigeration systems for Target,” Fazio said, adding that the company IT system and security measures are in full compliance with industry practices.
Two researchers with Qualys noted that 55,000 HVAC systems are connected to the internet and contain basic security flaws, according to a statement emailed to SCMagazine.com on Thursday. At the time, this served as one explanation as to why Fazio Mechanical would be in possession of Target's credentials.
Molly Snyder, a Target spokeswoman, told SCMagazine.com on Thursday that the investigation is ongoing and further details are unavailable.
[An earlier version of this story was updated following a Thursday release by Fazio Mechanical Services].