A recent report claims that the initial attack launched in November against the retail giant Target was traced back to network credentials stolen from “a refrigeration, heating and air conditioning subcontractor.” This subcontractor performed service at a number of Target locations and those of “other top retailers“, according to an article published on the KrebsOnSecurity web site. The article indicates that the “network credentials” were stolen from a Pennsylvania-based “provider of refrigeration and HVAC systems” called Fazio Mechanical Services.
According to the article, the subcontractor has serviced other retail outlets including “Trader Joe’s, Whole Foods and BJ’s Wholesale Club” in the states of “Pennsylvania, Maryland, Ohio, Virginia and West Virginia“. The article confirmed that agents from the United States Secret Service visited the Fazio headquarter offices regarding the Target investigation. Company President Ross Fazio confirmed, according to the report, that he “was not present when the visit occurred” but another company officer,Vice President Daniel Mitsch, declined to answer questions about the visit.
The article stated, “It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network.” The report continued to say that the case investigators “shared additional details about the timeline of the breach and how the attackers moved stolen data off of Target’s network” and confirmed that they “succeeded in uploading their card-stealing malicious software to a small number of cash registers within Target stores.”