NEW YORK, N.Y. – The hackers who stole millions of credit and debit card numbers from Target may have used a Pittsburgh-area heating and refrigeration business as the back door to get in.
Fazio Mechanical Services Inc., a contractor that does business with Target, issued a statement Thursday saying it was the victim of a “sophisticated cyberattack operation,” just like Target. It said it is co-operating with the Secret Service and Target to figure out what happened.
The statement came days after Internet security bloggers identified the Sharpsburg, Pa., company as the third-party vendor through which hackers penetrated Target’s computer systems.
The new details about the Target breach illustrate just how vulnerable big corporations have become as they expand and connect computer networks to offer greater convenience and increase productivity.
“Companies really have to look at the risks associated with that,” said Ken Stasiak, CEO of SecureState, a Cleveland-based firm that investigates data breaches. Stasiak added that industry regulations require companies to separate corporate operations such as contracts and billing from the financial information of consumers.
Target has said it believes hackers gained access to its vast computer network through one of its vendors. Once inside, the hackers moved through the network and installed malicious software in the company’s checkout system.
Experts believe the thieves gained access during the busy holiday season to about 40 million debit and credit card numbers and the personal information — including names, email addresses, phone numbers and home addresses — of as many as 70 million customers.
Secret Service spokesman Brian Leary confirmed that investigators are looking into the attack at Fazio Mechanical Services, but wouldn’t provide details. Molly Snyder, spokeswoman for Minneapolis-based Target, would not comment, citing the investigation.
Federal prosecutors in Pittsburgh referred calls to their counterparts in Minnesota, where Assistant U.S. Attorney Steve Schleicher, acting criminal division chief, would not discuss the investigation.
“Like Target, we are a victim of a sophisticated cyberattack operation,” Ross Fazio, the company’s president and owner, said in a statement.
Fazio Mechanical Services denied reports on blogs and other outlets that said the company remotely monitored heating, cooling and refrigeration for Target, which has about 1,800 stores nationwide. Ross Fazio said his company has an electronic connection with Target that it uses to submit bills and contract proposals.
In the weeks since Target disclosed the breach, banks, credit unions and other card companies have cancelled and reissued cards, closed accounts and refunded credit card holders for transactions made with the stolen data. Target has said its customers won’t be responsible for any losses.
AP reporter Joe Mandak reported from Pittsburgh.