While it's been widely reported since Wednesday that Fazio Mechanical Services was the third party vendor whose login information the Target hackers hijacked, president and owner Ross E. Fazio has finally put out an official statement confirming his company's role in the attack.
In the statement, Fazio denies that his company had performed any sort of remote heating or cooling monitoring for Target's stores; this was, supposedly, how the hackers were able to gain access to Target's systems through Fazio in the first place. Instead, Fazio claims, "Our data connection with Target was exclusively for electronic billing, contract submission and project management, and Target is the only customer for whom we manage these processes on a remote basis."
Regardless of whether or not Fazio Mechanical Services was remotely monitoring Targets systems, the question of why Target wasn't using two-factor authentication remains. Fazio's statement in its entirety follows:
Fazio Mechanical Services, Inc. places paramount importance on assuring the security of confidential customer data and information. While we cannot comment on the on-going federal investigation into the technical causes of the breach, we want to clarify important facts relating to this matter:
•Fazio Mechanical does not perform remote monitoring or control of heating, cooling or refrigeration systems for Target.
•Our data connection with Target was exclusively for electronic billing, contract submission and project management, and Target is the only customer for whom we manage these processes on a remote basis. No other customers have been affected by the breach.
•Our IT system and security measures are in full compliance with industry practices.
•Fazio Mechanical is not the subject of the federal investigation.
Like Target, we are a victim of a sophisticated cyber attack operation. We are fully cooperating with the Secret Service and Target to identify the possible cause of the breach and to help create proactive remedies to enhance the security of client/vendor connections make them less vulnerable to future breaches.