Target credit card hackers stole mechanical contractor's credentials to break in

Feb. 8, 2014
Hackers downloaded malware onto the point-of-sale card readers of Target stores, stealing the credit and debit card information of 40 million customers. Cyber crime expert and former Washington Post staffer Brian Krebs reports new information. The U.S. Secret Service has visited the offices of Fazio Mechanical Services, Sharpsburg, Pa. Initial speculation was that Fazio had network credentials for energy monitoring.

THE INVESTIGATION into the security breach at Target stores that lead to the theft of credit card data of millions of shoppers is now focusing on the mechanical contractor. Multiple news sources have reported that authorities are talking to Fazio Mechanical Services, Sharpsburg, Pa.

The thieves, in Eastern Europe or Russia, downloaded their malware onto Target's computer network some time after Nov. 15 and had time to test it to make sure that it was working properly, reports cyber crime and internet security expert Brian Krebs. The stolen data was then hidden in "dumps," other compromised computers in the U.S. and elsewhere, where the intruders could safely access the stolen credit and debit card data.

Once the investigation turned toward Fazio Mechanical Services, which performs HVAC and refrigeration services for Target and other large retailers, initial speculation was they they had network access for energy monitoring services, Krebs reported on his website

"It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network. But according to a cybersecurity expert at a large retailer who asked not to be named because he did not have permission to speak on the record, it is common for large retail operations to have a team that routinely monitors energy consumption and temperatures in stores to save on costs (particularly at night) and to alert store managers if temperatures in the stores fluctuate outside of an acceptable range that could prevent customers from shopping at the store."

But that's not the actual reason, Krebs reported. In a statement issued through a PR agency Feb. 6, Fazio Mechanical Services said their connection into Target was for billing, contract administration and project management. To find out more, go to KrebsOnSecurity.

Voice your opinion!

To join the conversation, and become an exclusive member of Contractor, create an account today!

Sponsored Recommendations