Here's the Company That Caused the Target Hack  

Future Tense
The Citizen's Guide to the Future
Feb. 6 2014 11:41 AM

Target's Heating and Refrigeration Company Gave Hackers the Key to Customer Data

183983968-customer-shops-for-groceries-at-a-target-store-on
One of the companies Target uses for HVAC and refrigeration work had login credentials for Target's central network that hackers used in their November attack.

Photo by Scott Olson/Getty Images

The massive Target data breach is a symbol of the need for tighter data security in big retail chains, but it's also still an evolving story in its own right. The hackers were able to infiltrate Target's system by stealing login credentials from a third-party contractor, so they could just waltz right in. And now Krebs on Security is reporting that Fazio Mechanical Services, an HVAC and refrigeration company, was the weak link.

The company, based in Sharpsburg, Pa., does regular work for Target stores. Its president, Ross Fazio, confirmed that the Secret Service paid his company a visit about the Target situation, though he was out at the time. Fazio Vice President Daniel Mitsch wouldn't say anything more about the visit. Target spokeswoman Molly Snyder declined to comment to Krebs on Security because of a "very active and ongoing investigation" into the breach.

Advertisement

According to its website, Fazio Mechanical has also done work at various times for Trader Joe’s, Whole Foods, and BJ’s Wholesale Club locations in Pennsylvania, Maryland, Ohio, Virginia, and West Virginia. So could the problem be larger than just Target? It's not yet known why Fazio had remote access to Target's network, especially the payment system network, but Krebs on Security spoke to a cybersecurity expert who suggested that Target may have given the company access so it could do energy-consumption monitoring to regulate the ambient temperature in stores so customers wouldn't be uncomfortably hot or cold.

Though there's no more information right now about what happened, Fazio seems like it is not directly to blame, since Target made its systems vulnerable by providing at least one contractor with remote access to systems that it didn't need, in addition to the ones it did. HVAC and refrigeration are crucial services to Target, but this was probably an unnecessary vote of confidence.

Future Tense is a partnership of SlateNew America, and Arizona State University.

Lily Hay Newman is lead blogger for Future Tense.

  Slate Plus
Slate Picks
Oct. 31 2014 12:02 PM What Happened at Slate This Week?  Staff writer Alison Griswold shares what stories intrigued her at the magazine this week.