Report: Target Hackers Slipped In Via Vent ... Maintenance Company

Image: Target Store Watertown, Mass.
Steven Senne / AP

The latest intelligence on the Target breach saga suggests that the hackers got in through the A/C vents... but not the way you think. Instead of creeping in through the vents themselves, they supposedly used a HVAC maintenance company's credentials to gain access to Target's internal networks.

Cybersecurity blogger Brian Krebs, who first broke the Target hack story in December, cited "sources close to the investigation" as saying that Fazio Mechanical Services, a company providing refrigeration and HVAC services to Target, was likely the vector through which the hackers attacked. It was previously known that an unspecified vendor's credentials had likely been pilfered, but this is much more specific — specific enough, in fact, that the company reportedly received a visit from the Secret Service.

It sounds a little strange, but in a way it's no different from a thief putting on one of the maintenance worker's overalls in order to sneak into a store. Companies like Fazio must work closely with customers' systems. Since their workers have to get in and out, they might have to sync with company payroll services, and so on.

Such companies may have a similar level of access to the people running Target's servers or managing a store — but may also have more lax security policies.

It seems, according to Krebs' sources, that the hackers tested the waters by uploading their credit card skimming software to a few stores on Nov. 15, then once the system showed itself to be working satisfactorily, installed it en masse on Nov. 28.

Target is working with Congress and federal authorities to track down the perpetrators of what has been called the largest single credit card credential theft of all time; at least 40 million people had their card information stolen, and millions more had phone numbers and addresses leaked. At the same time, the company will be determining the extent of its financial responsibility for the breach: estimates put its potential losses in the hundreds of millions.