Target Vendor Acknowledges BreachCompany Cites 'Sophisticated Cyber-Attack'
A refrigeration vendor serving Target Corp. acknowledges that it was breached. The news is significant because Target announced earlier that its massive data breach was the result of hackers stealing electronic credentials from one of its vendors (see: Target Breach: Credentials Stolen).
The Target breach compromised as many as 40 million payment card accounts, along with the personal information of about 70 million customers.
In a statement, Fazio Mechanical Services notes, "Like Target, we are a victim of a sophisticated cyber-attack operation. We are fully cooperating with the Secret Service and Target to identify the possible cause of the breach and to help create proactive initiatives that will further enhance the security of client/vendor connections, making them less vulnerable to future breaches."
Target officials declined to comment on Fazio's announcement. "Because this continues to be a very active and ongoing investigation, I don't have additional information to share at this time," a spokesperson told Information Security Media Group.
Fazio Mechanical Services notes in its statement that the firm "does not perform remote monitoring of, or control of, heating, cooling and refrigeration systems for Target. Our data connection with Target was exclusively for electronic billing, contract submission and project management, and Target is the only customer for whom we manage these processes on a remote basis. No other customers have been affected by the breach."
The Fazio statement also notes that the company's IT system and security measures "are in full compliance with industry practices." And the company says it will not offer further comment on the ongoing federal investigation.
Making the Connection
Avivah Litan, an analyst at the consultancy Gartner Research, explains how the breach of the vendor might have paved the way to the Target breach.
"If the [Target] cardholder data environment wasn't sufficiently segmented from the contractor environment, the criminals could have found their way over to the POS systems just by getting into the contractor account," she says.
News of Fazio Mechanical Services being the third-party vendor linked in the Target breach was first reported by security blogger Brian Krebs.