Target hackers used IDs from refrigeration contractor, report says
By NICK WOLTMAN and JULIO OJEDA-ZAPATA, St. Paul Pioneer Press
MINNEAPOLIS — The hackers who made off with the personal and financial data of millions of Target shoppers last fall gained access to the company’s network using credentials stolen from a Pennsylvania-based refrigeration company, according to a report Wednesday by cyber-security journalist Brian Krebs.
Krebs, the first to report news of the Target data breach in December, wrote that Target’s network was breached Nov. 15. Once inside, the thieves installed malicious software that collected payment card data during transactions. Target has previously said the customer data was stolen between Nov. 27 and Dec. 15.
Target said last month that stolen vendor credentials were used to gain access to its network.
Krebs’ report appears in a post on his website, KrebsOnSecurity.com. The revelation should bring authorities closer to catching the data thieves, a security expert said.
“It’s a critical piece of information,” said Avivah Litan, a fraud analyst with information security research firm Gartner. “If (the authorities) know how (the thieves) got in, they have a record of where that login request came from. They should be able to trace it back.”
The refrigeration company named in Krebs’ post, Fazio Mechanical Services, lists two Target jobs on its company website under “Fazio Mechanical’s Projects” — one in Hilliard, Ohio, and the other in Columbia, Md. Both projects are described as “renovation and new refrigeration systems.” The company is based in the Pittsburgh suburb of Sharpsburg.
Fazio President Ross Fazio reportedly told Krebs that the “U.S. Secret Service visited his company’s offices in connection with the Target investigation.”
A law enforcement official confirmed Wednesday that a possible connection between Fazio’s access to Target’s network and the data breach is being investigated.
Target spokeswoman Molly Snyder said in an email: “Because this continues to be a very active and ongoing investigation, we don’t have additional information to share at this time.”
The Secret Service acknowledged that it is investigating the Target breach, but declined to provide more specific information.
A message left with Fazio was not returned Wednesday.
Minneapolis-based Target announced the data breach Dec. 19, a day after it was reported by Krebs, saying the purchasing information from up to 40 million customers was stolen between Nov. 27 and Dec. 15. In testimony before a Senate committee Tuesday, Target CFO John Mulligan said some data continued to be compromised from that breach until Dec. 18.
Last month, Target acknowledged that additional information from up to 70 million customers was stolen in a separate breach.
A security expert said this exploit has two distinct phases: First, gaining access to the refrigeration company. Second, using that access as a springboard into Target’s own network and financial data.
The Pioneer Press is a media partner with Forum News Service.