‘HVAC Firm at Center of Target Data Breach Also Counts Wal-Mart, Costco as Customers
Access was reportedly given to help power savings, but network wasn't properly isolated from consumer data
According to sources of Washington Post security researcher Brian Krebs -- the first member of the media to catch wind of the breach -- the hackers had a little help from an insecure third-party. They reportedly struck via first compromising servers at an air conditioning business in Sharpsburg, Penn, whom Target used as a contractor. The firm -- Fazio Mechanical Service -- has a flashy portfolio of high-profile clients which includes not only Target and all of the aforementioned retailers/grocers, but a number of other large firms that Mr. Krebs and other early reports have not mentioned.
This latest news emerged after Reuters and The Wall Street Journal quoted Target executives last week as saying that the breach occurred via a compromised third-party contractor. Digging around on Fazio's clients page, which remains active following Mr. Krebs' post, I found that the list of high-profile clients doesn't stop with the three other companies Mr. Krebs mentioned.
It turns out that Fazio's blue chip client list is even bigger, including large retail locations belonging to Wal-Mart Stores, Inc. (WMT) (and its subsidiary Sam's Club), Costco Wholesale Corp. (COST), and the ALDI Group; gas stations belonging to Marathon Oil Corp. (MRO) and Exxon Mobil (XOM); and restaurant locations belonging to Denny's Corp. (DENN) and others.
It is unclear why Mr. Krebs didn't notice these other even bigger clients, but clearly that discovery illustrates his comments are even more important than they sounded based on his shorter list.
These clients helped Fazio to earn the distinction of being the largest heating, ventilation, and air conditioning (HVAC) commercial sales and repair company in the western Pennsylvania area. Fazio had service centers in Pennsylvania, as well as outposts in nearby states, including Maryland, Ohio, Virginia, and West Virginia.
It appears increasingly likely that Mr. Krebs' sources are correct -- there was a breach at Fazio that led to a breach at its client (Target). Fazio President Ross Fazio confirmed that he received a recent visit from the Secret Service in connection to the ongoing Target investigation.’