People close to the investigation into the data breach suffered by Target have revealed that the attackers stole the credentials used to penetrate the retailer’s systems from Fazio Mechanical Services, a Pennsylvania-based company that provides heating, ventilation, and air conditioning (HVAC) services.
Brian Krebs has learned that the US Secret Service has visited the company’s offices, but Fazio representatives have refused to provide any details.
Fazio provides HVAC services to a number of companies in Ohio, Virginia, West Virginia, Maryland and Pennsylvania, including Whole Foods, Trader Joe’s and BJ’s Wholesale Club.
Experts have told Krebs that the most likely scenario why a HVAC services provider would have access to Target’s computer systems is that the company remotely monitors energy consumption and temperatures in stores.
In order to offer support, Fazio had been most likely given remote access to Target’s computer systems.
Other details have also been brought to light by investigators. It appears that the stolen data was uploaded to serves in a number of locations, not just Russia. Part of the data was spotted on the servers of a Miami firm, and machines located in Brazil.
As far as the malware used in the attack is concerned, the attackers first infected only a small number of point-of-sale (POS) registers in order to perform some tests. This occurred between November 15 and November 28, 2013.
By the end of November, the malware had been distributed to most Target POS systems.
In a recent hearing before the US Senate, a Target executive has admitted that they only learned of the breach after being contacted by authorities.
The retailer’s chief financial officer has revealed that the company plans on rolling out PIN and chip technology in stores by early 2015. Target is prepared to invest $100 million (€74 million) to make it happen.