Pa. vendor confirms link to Target data probe

Getty Images: Patrick T. Fallon, Bloomberg                

​Customers purchase merchandise at a Target Corp. store opening ahead of Black Friday in Chicago on Nov. 28, 2013.
            

  By Joe Mandak of Associated Press

  Internet security bloggers identified the cyber attack operation as the third-party vendor through which hackers accessed Target's customer information.

 

PITTSBURGH — The hackers who stole millions of debit and credit card numbers from Target's computer systems may have gained access by first infiltrating the network of a western Pennsylvania heating and refrigeration contractor.

Fazio Mechanical Services Inc., of Sharpsburg, Pa., issued the statement late Thursday saying it was the victim of a "sophisticated cyberattack operation." The statement came days after Internet security bloggers identified it as the third-party vendor through which hackers accessed Target's computer systems.

Target has said it believes hackers initially gained access to its vast computer network through one of its vendors. Once inside, the hackers moved through the retailer's network and eventually installed malicious software into the company's point-of-sale system.

The series of hacks, experts believe, gave thieves access to some 40 million debit and credit card numbers, along with the personal information of another 70 million people.

Related: Target: Hackers attacked with stolen credentials

The new details about Target's breach illustrate just how vulnerable large corporations have become as they expand and connect computer networks to offer greater convenience and increase productivity.

U.S. Secret Service spokesman Brian Leary confirmed that Fazio Mechanical Services is being investigated, but wouldn't provide details.

Molly Snyder, spokeswoman for Minneapolis-based Target, declined comment citing the ongoing investigation.

Federal prosecutors in Pittsburgh referred calls to their counterparts in Minnesota, where Assistant U.S. Attorney Steve Schleicher, acting criminal division chief, declined comment on the Fazio link, in particular, and the overall investigation.

"Like Target, we are a victim of a sophisticated cyberattack operation," Ross Fazio, the company's president and owner, said in a statement. Fazio's company is cooperating with the Secret Service and Target to identify the possible cause of the breach, he said.

Fazio Mechanical Services also denied reports on blogs and other outlets that said the company remotely monitored heating, cooling and refrigeration for Target, which has about 1,800 stores nationwide.

Fazio's statement explained that his company has an electronic connection with Target, which it uses to submit bills and contract proposals.

Target has said hackers breached its systems during the holiday shopping season and stole about 40 million debit and credit card numbers and the personal information, including names, email addresses, phone numbers and home addresses of as many as 70 million customers.

Banks, credit unions and other entities that issued debit and credit cards have had to cancel and reissue cards, close transactions or accounts, and refund or credit card holders for transactions made with the stolen data.

Target has said its customers won't be responsible for any losses.

Related: Target: Data breach caught up to 70M customers