NEW YORK (AP) — A western Pennsylvania heating and refrigeration contractor that services Target retail stores said it was the victim of a "sophisticated cyberattack operation" that may have allowed hackers to infiltrate Target's computer systems and steal millions of debit and credit card numbers.
Fazio Mechanical Services Inc., of Sharpsburg, Pa., issued the statement after Internet security bloggers identified it as the third-party vendor through which hackers accessed Target's computer systems. Target has said it believes hackers initially gained access to its vast computer network through one of its vendors. Once inside, the hackers moved through the retailer's network and eventually installed malicious software into the company's point-of-sale system.
The series of hacks, experts believe, gave thieves access to some 40 million debit and credit card numbers, along with the personal information of another 70 million people.
U.S. Secret Service spokesman Brian Leary confirmed that Fazio's business is being investigated, but wouldn't provide details.
Molly Snyder, spokeswoman for Minneapolis-based Target, declined comment citing the ongoing investigation.
Federal prosecutors in Pittsburgh referred calls to their counterparts in Minnesota, where Assistant U.S. Attorney Steve Schleicher, acting criminal division chief, declined comment on the Fazio link, in particular, and the overall investigation.
"Like Target, we are a victim of a sophisticated cyberattack operation," Ross Fazio, the company's president and owner, said in a statement. Fazio's company is cooperating with the Secret Service and Target to identify the possible cause of the breach, he said.
Fazio Mechanical Services also denied reports on blogs and other outlets that said the company remotely monitored heating, cooling and refrigeration for Target, which has about 1,800 stores nationwide.
Fazio's statement explained that his company has an electronic connection with Target, which it uses to submit bills and contract proposals.
Target has said hackers breached its systems during the holiday shopping season and stole about 40 million debit and credit card numbers and the personal information, including names, email addresses, phone numbers and home addresses of as many as 70 million customers.
Banks, credit unions and other entities that issued debit and credit cards have had to cancel and reissue cards, close transactions or accounts, and refund or credit card holders for transactions made with the stolen data.
Target has said its customers won't be responsible for any losses.