Customers might have to be worried about another range of companies thanks to the Target credit card security breach. The retailer reported that the initial intrusion into its network was traced back to credentials stolen from Fazio Mechanical Services, a refrigeration, heating, and air conditioning company hired by Target. Hackers used the stolen credentials between November 15th and November 28th to upload card-stealing malware to many of Target's cash registers, and within a month, completely infiltrate the system.
Target isn't the only one under investigation
Krebs on Security explains that Fazio Mechanical could have had access to Target's network for maintenance purposes. It's common practice for large companies to hire teams to monitor energy consumption in stores to help save on energy costs. Those teams need to have remote access to the company's network, so that is one way the HVAC company could have had long-term access to Target's system.
However, that does not explain why the retailer's maintenance network led the hackers to its payment network. It's possible that Target had the maintenance and payment networks connected, making it easy for hackers to access one from the other. But Krebs alluded to an even more unsettling scenario — the networks could have been separated from the start, but the hackers found a way to connect them.
well @johnbumgarner it is possible that they *were* segmented, but that the bad guys figured out how to bridge them.
— briankrebs (@briankrebs) February 5, 2014
Fazio Mechanical president Ross Fazio confirmed that the US Secret Service — which has not been shy about its investigation — has visited the company's offices while investigating the Target breach. It makes sense for the Department of Justice to take a hard look at Fazio: the HVAC contractor has completed projects for Trader Joe’s, Whole Foods, BJ’s Wholesale Club, and others, suggesting those companies could be susceptible to similar attacks. While the identities of the hackers are still unknown, this discovery shows how even the most tangental connection to a huge company like Target could open the door for hackers to access information. Target is now rushing to install chip-enabled smart cards to provide better security at the point of sale, but it can only try to control what happens in its stores.