Report: Target hackers used HVAC-service company’s credentials

Minneapolis – The hackers responsible for the recent Target data breach reportedly gained initial access to the retailer’s network using credentials stolen from a heating, ventilation and air conditioning (HVAC) vendor. According to the New York Times, the hackers, using the vendor’s access, were able to break into Target’s network and from there were able to compromise a server storing the personal data of 70 million customers, as well as in-store POS systems that allowed access to 40 million credit and debit card numbers.



In related news, Reuters reported the U.S. Secret Service visited refrigeration contractor Fazio Mechanical Services, Sharpsburg, Pa., this week to determine its possible connection with Target’s security breach. Target is a client of Fazio’s, and law enforcement officials suspect that hackers stole login credentials from Fazio and may have used them to break into Target’s network. Security blogger Brian Krebs reported that Fazio president Ross Fazio had confirmed the visit by the Secret Service in connection with the Target probe.



Target did not comment on the report.



Security specialists confirmed for the Times that Target’s HVAC system, similar to many other retailers’ systems, is connected to the Internet, but it is not currently clear whether Target required the HVAC vendor to use a second, temporary password in addition to the credentials or if Target’s vendors connect to its network via virtual private network (VPN), which is more secure than direct access. Target passed a security audit in November 2013, the same month when the breach initially occurred.

Read an Expert Opinion on the subject by Dwayne Melancon, chief technology officer, Tripwire.