By Betty Stephens
The hackers who stole millions of customers' credit and debit card numbers from Target may have used a Pittsburgh-area heating and refrigeration business as the way to get in through a back door. Experts believe the thieves gained access during the busy holiday season to about 40 million credit and debit card numbers and the personal information including names, email addresses, phone numbers and home addresses of as many as 70 million customers.
Investigators appear to be looking at that theory. It shows how vulnerable big corporations have become as they expand and connect their computer networks to other companies to increase convenience and productivity. Fazio Mechanical Services, a contractor that does business with Target, said in a statement Thursday that it was the victim of a "sophisticated cyber attack operation," just as Target was. It said it is cooperating with the Secret Service and Target to figure out what happened.
President Ross Fazio confirmed that the U.S. Secret Service visited his company’s offices in connection with the Target investigation, Fazio Mechanical also has done refrigeration and HVAC projects for specific Trader Joe’s, Whole Foods and BJ’s Wholesale Club locations in Pennsylvania, Maryland, Ohio, Virginia and West Virginia.
It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network. But according to a cyber security expert at a large retailer stated it is common for large retail operations to have a team that routinely monitors energy consumption and temperatures in stores to save on costs and to alert store managers if temperatures in the stores fluctuate outside of an acceptable range that could prevent customers from shopping at the store.
The new details illustrate what can go wrong with the far-flung computer networks that big companies increasingly rely on. "Companies really have to look at the risks associated with that," said Ken Stasiak, CEO of Secure State, a Cleveland firm that investigates data breaches. Stasiak said industry regulations require companies to keep corporate operations such as contracts and billing separate from consumer financial information.
Since Target disclosed the breach, banks, credit unions and other card companies have canceled and reissued cards, closed accounts and refunded credit card holders for transactions made with the stolen data. A lawsuit has been filed seeking class-action status on behalf of financial institutions nationwide that have spent time and money helping customers deal with the effects of the data breach.