Information on the Target (and other retailers) credit card data breach continues to circulate as investigations continue. Brian Krebs of Krebs on Security, who broke the initial story, is now coming forward with the name of the third party vendor who may have left Target exposed for the hackers to do their work by planting malware into its point of purchase systems. Last week Target informed the Wall St. Journal that the initial breach could be traced back to a third party vendor from which network credentials were stolen.
Krebs on Security is reporting that its sources are saying that third party vendor is HVAC provider Fazio Mechanical Services, based in Pennsylvania. Speculation focused on a theory that Fazio Mechanical Services was using network access to remotely monitor heating and cooling temperatures. Fazio Mechanical services issues the following statement refuting those charges:
Fazio Mechanical Services, Inc. places paramount importance on assuring the security of confidential customer data and information. While we cannot comment on the on-going federal investigation into the technical causes of the breach, we want to clarify important facts relating to this matter:
- Fazio Mechanical does not perform remote monitoring of or control of heating, cooling and refrigeration systems for Target.
- Our data connection with Target was exclusively for electronic billing, contract submission and project management, and Target is the only customer for whom we manage these processes on a remote basis. No other customers have been affected by the breach.
- Our IT system and security measures are in full compliance with industry practices.
Like Target, we are a victim of a sophisticated cyber attack operation. We are fully cooperating with the Secret Service and Target to identify the possible cause of the breach and to help create proactive initiatives that will further enhance the security of client/vendor connections making them less vulnerable to future breaches.
Fazio also has been contracted by other retailers including Trader Joe’s, Whole Foods, and some BJ’s Wholesale Club locations in Pennsylvania, Maryland, Ohio, Virginia, and West Virginia. Keep in mind that authorities have reported that they are looking into other data breaches at retailers yet to be confirmed. Fazio president Ross Fazio has confirmed that the U.S. Secret Service has paid a visit to its offices, but that he was not present at the time of the visit. Other Fazio officials are not commenting.
The Krebs on Security article also goes into details about the timeline of the breach and where the stolen data was stored in the US and in other countries. The Target data breach affected up 110 million individuals who shopped at Target Stores during the busy Christmas holiday season from a period beginning at the end of November and running through December 15. I can confirm that even though Target states the breach window was closed on December 15, that information stored on a credit card used by my wife at a Target Store on December 17 was stolen and subsequently used in an attempted fraudulent purchase that was caught by the bank that issued the card. Target acknowledges that if you shopped at its stores in Midwest City, Oklahoma on December 16 or December 17 that you should keep an eye on your credit card purchases. My wife’s transaction took place in the Washington DC area.