Target HVAC Vendor Says It Was Hacked, Too

HVAC vendor Fazio Mechanical Systems posted its denial of involvement on its home page

The HVAC vendor taking the blame for giving hackers access to Targets network said Feb. 6 it was also a victim of hackers.

The company, Fazio Mechanical Services in Sharpsburg, Penn., did install heating and ventilation systems for Target stores and did have access to Target’s network, company President Ross Fazio confirmed to Krebs on Security.

The HVAC vendor did not use the connection for remote monitoring or tuning of Target environmental control systems, according to a statement posted by Fazio on the company’s home page: “Fazio Mechanical does not perform remote monitoring of or control of heating, cooling and refrigeration systems for Target,” the statement read. “Our data connection with Target was exclusively for electronic billing, contract submission and project management, and Target is the only customer for whom we manage these processes on a remote basis. No other customers have been affected by the breach.”

HVAC systems are often connected to the Internet, and it is not unusual for HVAC or other vendors to have access to a big-box store’s networks either for remote monitoring or communications, or for those connections to be granted more rights on the network than they really need, according to a CSOOnline story quoting Tripwire CTO Dwayne Melancon.

There is a building-control system in Target’s Minneapolis headquarters that is connected to the Internet, as a matter of fact, according to CSOOnline, though it was impossible to discover without hacking it whether the building-control interface would also provide access to Target’s corporate network.

Fazio could not comment on technical causes of the breach, but that the company is cooperating with the Secret Service and Target’s own internal investigation. “Like Target, we are a victim of a sophisticated cyber attack operation,” the statement added. “We are fully cooperating with the Secret Service and Target to identify the possible cause of the breach and to help create proactive initiatives that will further enhance the security of client/vendor connections making them less vulnerable to future breaches. ”

The company offered no details on what type of attack might have been involved or what role Fazio’s connection might have played.

 

Image: Fazio Mechanical Services