The hackers that carried out the massive data breach at the Target Corporation appear to have gained access via a small refrigeration contractor that connected to the retailer’s systems to do electronic billing. The privately company, Fazio Mechanical Services Inc., with about 125 employees, said Thursday it was “a victim of a sophisticated cyberattack operation” and was cooperating with investigators at the Secret Service.
The details provided by the company’s owner, Ross Fazio, provide new clues to how hackers infiltrated Target’s computer system and eventually stole millions of credit- and debit-card numbers and personal data during a security breach that lasted from Nov. 27 to Dec. 18.
Fazio Mechanical began working with Target in 2006 installing and maintaining refrigerator systems in stores as the discounter expanded its fresh food offerings. Through that relationship, the contractor was linked remotely to Target’s computer systems for electronic billing, contract submission and project management. Secret Service agents visited Fazio Mechanical’s offices earlier in the week.
The connection between the two is another reminder of the risks faced by large corporations when they grant contractors access to their large, interconnected computer systems. Hackers commonly go after low-level victims to get credentials to access a bigger company’s network. Then they move through the system until they find a company’s crown jewels—in this case credit and debit card numbers.
Target was the only customer to which Fazio Mechanical had remote access, and no other customer was affected in the breach, Mr. Fazio said. Fazio lists Target as a client on its website, but it is unclear how the hackers would have thought to look for the company or learned Fazio had access to Target’s systems.
Federal investigators are also looking into a similar data breach at the luxury retailer Neiman Marcus Group, where over the course of several months hackers may have stolen data from as many as 1.1 million payment cards. At congressional hearings earlier this week, Neiman Chief Information Officer Michael Kingston said the company hasn’t determined how hackers entered their system to plant the malicious software.