Target breach tied to cyberattack on heating firm

The Target Corp. security breach that compromised the data of millions of Christmas shoppers has been traced to the cybertheft of information from a Sharpsburg, Pa.-based heating, air conditioning and refrigeration company.

Fazio Mechanical Services Inc. confirmed in an online statement Thursday that it is involved in an ongoing federal investigation related to the Target breach, saying that it was a victim of a “sophisticated cyberattack operation” and that it was cooperating with retailer and the U.S. Secret Service.

“Fazio Mechanical Services Inc. places paramount importance on assuring the security of confidential customer data and information,” according to the statement from Ross E. Fazio, president and owner of the company.

The company’s connection to the cyberattack was revealed when sources close to the investigation told Brian Krebs, of technology security blog Krebs on Security, that hackers used network credentials stolen from Fazio Mechanical Services to break into Target’s network.

It’s the latest twist in a story that began during the Christmas season when Target confirmed reports that about 40 million accounts may have been compromised during a period that began just before the big Thanksgiving shopping weekend and lasted through mid-December. In January, the retailer went on to disclose that other information involving up to 70 million people also was taken.

In the weeks since the original breach was disclosed, other retailers have discovered problems. Both Target and Neiman Marcus sent executives to testify this week before a Senate committee about the issue of data security. Target Chief Financial Officer John Mulligan said his company will speed up use of smart card technology meant to make it harder to use stolen creditcard information.

A Target spokesman declined to comment about the Fazio connection, citing the ongoing investigation. U.S. Secret Service spokesman Brian Leary confirmed an investigation is underway but declined to elaborate on its status.

One of the missions of the Secret Service, according to its website, is “to safeguard the nation’s financial infrastructure and payment systems to preserve the integrity of the economy.” In this case, the agency is looking into whether a cyberattack involving Fazio is related to the Target breach.

In the online statement, Ross Fazio said the company is not responsible for remote monitoring of cooling, heating or refrigeration for Target. He said the company’s data connection was “exclusively for electronic billing, contract submission and project management.”

Ross Fazio said the breach hasn’t affected any of the company’s other clients and said that Fazio’s computer system and security measures are in line with industry best practices.

“Like Target, we are a victim of a sophisticated cyberattack operation. We are fully cooperating with the Secret Service and Target to identify the possible cause of the breach and to help create proactive initiatives that will further enhance the security of client/vendor connections making them less vulnerable to future breaches,” the statement says.

No parties involved in the investigation have discussed specifically how the breach occurred, but Krebs said it is likely a hack was triggered by a Fazio employee clicking a link that downloaded malicious software to the company’s network.

From that point, all saved passwords, including passwords used to access Target’s network, would have been available to hackers. But even with such an attack, it is still unclear how hackers would be able to access Target’s payment system network, Krebs said.

The next step, he said, will be for the Secret Service to go back into Target’s Web logs and records to find exactly how hackers were able to find their way into the payment portal.

Because this a criminal investigation, it could be a while before the public knows the full story behind what went wrong.

“In the end, it’s going to be up to Target to disclose how the breach went down,” Krebs said.

Business, Pages 27 on 02/08/2014

Upcoming Events