Massive Target Breach Traced to HVAC Vendor

At long last, it appears investigators have found the cause of the Target breach. The retailing giant last week revealed that the source of the costly drama was connected to network credentials stolen from a third-party vendor.

Now, KrebsOnSecurity is reporting that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers. Brian Krebs, a security blogger, said sources close to the investigation claim the attackers first broke into the retailerEUs network on Nov. 15, 2013 using network credentials stolen from Fazio Mechanical Services, an HVAC systems provider. Target has not officially issued a statement.

EUFazio president Ross Fazio confirmed that the U.S. Secret Service visited his companyEUs offices in connection with the Target investigation, but said he was not present when the visit occurred,EU Krebs said on his blog. EUFazio Vice President Daniel Mitsch declined to answer questions about the visit. According to the companyEUs homepage, Fazio Mechanical also has done refrigeration and HVAC projects for specific Trader JoeEUs, Whole Foods and BJEUs Wholesale Club locations in Pennsylvania, Maryland, Ohio, Virginia and West Virginia.EU

IP-Addressable Appliances

We caught up with Dwayne Melancon, chief technology officer for security software firm Tripwire, to get his take on the latest Target breach revelations. He told us this is something you'll see a lot more of in the evolving "Internet of Things" world.

EUHVAC's are IP-addressable appliances now, which means they have network access and logins. It wouldn't be unusual for contractors to have an HVAC login,EU Melancon said. EUThe trouble is that a lot of people implementing EUsmart devicesEU do not recognize the security risks of placing them on a production network where they can access other sensitive data or systems.EU

As he sees it, this is yet another example of...

Comments are closed.