It is so unfortunate and strange that Target's (NYSE: TGT) massive data breach can be traced back to one vendor. An HVAC vendor at that. However, that is what investigators found after the months-long investigation into the breach.
The source of the breach can be traced back to network credentials that Target issued to Fazio Mechanical, an HVAC firm in Sharpsburg, Pa. "Multiple sources close to the investigation now tell this reporter that those credentials were stolen in an email malware attack at Fazio that began at least two months before thieves started stealing card data from thousands of Target cash registers," Brian Krebs of KrebsonSecurity wrote.
However, Fazio Mechanical defended its security measures and involvement in the Target breach. "Our IT system and security measures are in full compliance with industry practices," said Fazio President Ross E. Fazio in a statement. However, Fazio didn't deny that the breach stemmed from his company.
"Like Target, we are a victim of a sophisticated cyber attack operation," Fazio said. "We are fully cooperating with the Secret Service and Target to identify the possible cause of the breach and to help create proactive remedies to enhance the security of client/vendor connections and make them less vulnerable to future breaches."
Fazio Mechanical also said that it does not perform remote monitoring or control of heating, cooling or refrigeration systems for Target. "Our data connection with Target was exclusively for electronic billing, contract submission and project management, and Target is the only customer for whom we manage these processes on a remote basis. No other customers have been affected by the breach," Fazio said.
It is mind-blowing that a cybersecurity link at one vendor could wreak the kind of havoc that it has. Not only is the breach expected to cost Target a total of $1 billion, but banks have already spent $172 million on re-issuing the impacted consumers' cards. Plus, the National Association of Federal Credit Unions (NAFCU) has projected that the credit union community will likely suffer $30 million in damages linked to the fraud.
Krebs suspects this is how the HVAC firm unwittingly became part of the massive security breach: "Many of these email malware attacks start with shotgun attacks that blast out email far and wide; only after the attackers have had time to comb through the victim list for interesting targets do they begin to separate the wheat from the chaff," he wrote.
However, Target may not be without blame here. The retailer "may have inadvertently made it easier for the attackers in this case by leaving massive amounts of internal documentation for vendors on its various public-facing Web properties that do not require a login," Krebs wrote.
Target accelerating $100 million chip and PIN adoption, finds just 25 registers at fault in breach
Nevermind the data breach, Target is headed for sunny skies
Target: Stolen vendor data led to breach, costs reach $153M
Data hacks: FBI says more breaches in store, Neiman Marcus says 1.1M cards at risk
More Target trouble: Jobs slashed amid reports the breach could have been prevented