As authorities trace the origins of the Target credit card data breach that possibly affected at least 70 million credit and debit card account holders, they found out that perpetrators used the log-in information of Fazio Mechanical Services in Pennsylvania.
While Fazio Mechanical is virtually unknown to people across the United States, it is the heating, ventilation, and air conditioning services (HVAC) company that Target relies on to monitor its energy consumption and costs. The cybercriminals used the credentials of the third-party vendor to access the cash registers of the chain of retail stores, upload the malware that will help collect the information of cards, and perfectly timed the attack during the holiday shopping rush.
Security news and investigative site KrebsonSecurity reported that sources familiar to the ongoing investigation revealed that it was through usage of the HVAC service provider's network credentials that the attack was initiated in November.
"Fazio president Ross Fazio confirmed that the U.S. Secret Service visited his company's offices in connection with the Target investigation, but said he was not present when the visit occurred. Fazio Vice President Daniel Mitsch declined to answer questions about the visit," reported KrebsonSecurity that also first reported about the incident last year.
Krebs' source explained that while it might not be obvious why Target will grant a service provider access to its network, it is common practice in the retail industry to tap third parties to monitor consumption of energy and temperature fluctuations.
"To support this solution, vendors need to be able to remote into the system in order to do maintenance (updates, patches, etc.) or to troubleshoot glitches and connectivity issues with the software. This feeds into the topic of cost savings, with so many solutions in a given organization. And to save on head count, it is sometimes beneficial to allow a vendor to support versus train or hire extra people," the source said.
The same sources told Krebs that the stolen data were dropped to several locations across the globe such as one in Miami and in Brazil.
Earlier reports reveal that the BlackPOS malware used during the attack was created by a Russian teenager from St. Petersburg. The 17-year-old programmer might not be liable since he was not directly involved with the cyber attack. Security experts who have looked into the matter claimed that the malware was undetectable to antivirus or antimalware software. The credit card and debit card information of account holders are decrypted at the point of sale when authorization of the system was needed to process the transaction and this vulnerability was taken advantage of by the criminals. Encrypted information such as PIN information of card holders were stolen via the networked cash registers of Target.
During the holiday rush, Target was not only the victim of the attack. Neiman Marcus also revealed that its system was hacked, affecting at least a million card holders.
Fazio Mechanical Services does not only serve Target. It also helps out specific branches of Trader Joe's, BJ's Wholesale Club, and Whole Foods in Pennsylvania, Virginia, West Virginia, Maryland, and Ohio.
The investigations are far from being over and it is not yet clear whether Target is liable for the breach based on existing industry security standards.
A Gartner analyst estimates losses of Target to hit around $420 million following the breach.