The massive Target data breach is a symbol of the need for tighter data security in big retail chains, but it’s also still an evolving story in its own right. The hackers were able to infiltrate Target’s system by stealing login credentials from a third-party contractor, so they could just waltz right in. And now Krebs on Security is reporting that Fazio Mechanical Services, an HVAC and refrigeration company, was the weak link.
The company, based in Sharpsburg, Pa., does regular work for Target stores. Its president, Ross Fazio, confirmed that the Secret Service paid his company a visit about the Target situation, though he was out at the time. Fazio Vice President Daniel Mitsch wouldn’t say anything more about the visit. Target spokeswoman Molly Snyder declined to comment to Krebs on Security because of a “very active and ongoing investigation” into the breach.
According to its website, Fazio Mechanical has also done work at various times for Trader Joe’s, Whole Foods, and BJ’s Wholesale Club locations in Pennsylvania, Maryland, Ohio, Virginia, and West Virginia. So could the problem be larger than just Target? It’s not yet known why Fazio had remote access to Target’s network, especially the payment system network, but Krebs on Security spoke to a cybersecurity expert who suggested that Target may have given the company access so it could do energy-consumption monitoring to regulate the ambient temperature in stores so customers wouldn’t be uncomfortably hot or cold.
Though there’s no more information right now about what happened, Fazio seems like it is not directly to blame, since Target made its systems vulnerable by providing at least one contractor with remote access to systems that it didn’t need, in addition to the ones it did. HVAC and refrigeration are crucial services to Target, but this was probably an unnecessary vote of confidence.