Authorities may have finally pinpointed the source of the massive Target security breach that allowed hackers to swipe the credit and debit card information of up to 40 million customers. So who's the culprit? One extremely unfortunate HVAC maintenance man.


According to security blogger Brian Krebs, that "third party vendor" who Target had been piling the blame for the breach on was actually "a refrigeration, heating, and air conditioning subcontractor," Fazio Mechanical Services. Apparently, the hackers stole Fazio's login information and were able to access the Target network through him.


Fazio president Ross Fazio even confirmed to Krebs that the U.S. Secret Service had paid his company's headquarters a little visit in connection with the Target case, although that's about all the detail he was willing to give.

So why was a third-party HVAC company's login able to grant hackers access to such sensitive customer data? In short, it saves Target money—or at least it was supposed to. A cybersecurity expert who chose to remain nameless revealed to Krebs that large retailers will often hire a team to monitor energy consumption and cut costs whenever possible. As the source explained to Krebs:

To support this solution, vendors need to be able to remote into the system in order to do maintenance (updates, patches, etc.) or to troubleshoot glitches and connectivity issues with the software. This feeds into the topic of cost savings, with so many solutions in a given organization. And to save on head count, it is sometimes beneficial to allow a vendor to support versus train or hire extra people.

After lifting the contractor's login information, the hackers were then able to test their malware on a small number of Target's registers totally undetected between Nov 15 and Nov 28. According to investigators speaking to Krebs, two days later, the hacking software had spread to "a majority" of Target stores and was actively collecting data from live customer transactions between Nov 27 and Dec 15.

As of now, it's still not totally clear what kind of legal consequences Target's facing for not adhering to current payment card industry security standards, which requires two-factor authentication to be able to remotely access the network—something Target didn't have. Even if it somehow manages to slide by unscathed in court, the company is still facing hundreds of millions of dollars in bank reimbursements, fines, legal fees, and customer service costs.


The U.S. government is currently in talks with Brazilian authorities to try to gain access to the servers where they believe the Target data is being held. Hopefully, now that we know how this whole mess got started, we can avoid repeating such a massive breach ever again.

[Krebs on Security via Wall Street Journal]