HVAC Vendor Confirms Link to the Massive Target Data Breach

While it's been widely reported since Wednesday that Fazio Mechanical Services was the third party vendor whose login information the Target hackers hijacked, president and owner Ross E. Fazio has finally put out an official statement confirming his company's role in the attack.

In the statement, Fazio denies that his company had performed any sort of remote heating or cooling monitoring for Target's stores; this was, supposedly, how the hackers were able to gain access to Target's systems through Fazio in the first place. Instead, Fazio claims, "Our data connection with Target was exclusively for electronic billing, contract submission and project management, and Target is the only customer for whom we manage these processes on a remote basis."


Regardless of whether or not Fazio Mechanical Services was remotely monitoring Targets systems, the question of why Target wasn't using two-factor authentication remains. Fazio's statement in its entirety follows:

Fazio Mechanical Services, Inc. places paramount importance on assuring the security of confidential customer data and information. While we cannot comment on the on-going federal investigation into the technical causes of the breach, we want to clarify important facts relating to this matter:

•Fazio Mechanical does not perform remote monitoring or control of heating, cooling or refrigeration systems for Target.

•Our data connection with Target was exclusively for electronic billing, contract submission and project management, and Target is the only customer for whom we manage these processes on a remote basis. No other customers have been affected by the breach.

•Our IT system and security measures are in full compliance with industry practices.

•Fazio Mechanical is not the subject of the federal investigation.

Like Target, we are a victim of a sophisticated cyber attack operation. We are fully cooperating with the Secret Service and Target to identify the possible cause of the breach and to help create proactive remedies to enhance the security of client/vendor connections make them less vulnerable to future breaches.


[FazioMechanical.com via PC Mag]

Last Month's Massive Target Hack Was the Heating Guy's Fault

Authorities may have finally pinpointed the source of the massive Target security breach that allowed hackers to swipe the credit and debit card information of up to 40 million customers. So who's the culprit? One extremely unfortunate HVAC maintenance man.


According to security blogger Brian Krebs, that "third party vendor" who Target had been piling the blame for the breach on was actually "a refrigeration, heating, and air conditioning subcontractor," Fazio Mechanical Services. Apparently, the hackers stole Fazio's login information and were able to access the Target network through him.

Fazio president Ross Fazio even confirmed to Krebs that the U.S. Secret Service had paid his company's headquarters a little visit in connection with the Target case, although that's about all the detail he was willing to give.

So why was a third-party HVAC company's login able to grant hackers access to such sensitive customer data? In short, it saves Target money—or at least it was supposed to. A cybersecurity expert who chose to remain nameless revealed to Krebs that large retailers will often hire a team to monitor energy consumption and cut costs whenever possible. As the source explained to Krebs:

To support this solution, vendors need to be able to remote into the system in order to do maintenance (updates, patches, etc.) or to troubleshoot glitches and connectivity issues with the software. This feeds into the topic of cost savings, with so many solutions in a given organization. And to save on head count, it is sometimes beneficial to allow a vendor to support versus train or hire extra people.


After lifting the contractor's login information, the hackers were then able to test their malware on a small number of Target's registers totally undetected between Nov 15 and Nov 28. According to investigators speaking to Krebs, two days later, the hacking software had spread to "a majority" of Target stores and was actively collecting data from live customer transactions between Nov 27 and Dec 15.

As of now, it's still not totally clear what kind of legal consequences Target's facing for not adhering to current payment card industry security standards, which requires two-factor authentication to be able to remotely access the network—something Target didn't have. Even if it somehow manages to slide by unscathed in court, the company is still facing hundreds of millions of dollars in bank reimbursements, fines, legal fees, and customer service costs.

The U.S. government is currently in talks with Brazilian authorities to try to gain access to the servers where they believe the Target data is being held. Hopefully, now that we know how this whole mess got started, we can avoid repeating such a massive breach ever again.


[Krebs on Security via Wall Street Journal]