NEW YORK (AP) — The hackers who stole millions of debit and credit card numbers from Target's computer systems may have gained access by first infiltrating the network of a western Pennsylvania heating and refrigeration contractor.
Fazio Mechanical Services Inc., of Sharpsburg, Pa., issued the statement late Thursday saying it was the victim of a "sophisticated cyberattack operation." The statement came days after Internet security bloggers identified it as the third-party vendor through which hackers accessed Target's computer systems.
Target has said it believes hackers initially gained access to its vast computer network through one of its vendors. Once inside, the hackers moved through the retailer's network and eventually installed malicious software into the company's point-of-sale system.
The series of hacks, experts believe, gave thieves access about 40 million debit and credit card numbers and the personal information, including names, email addresses, phone numbers and home addresses of as many as 70 million customers. Target has said the data was pilfered during the busy holiday shopping season.
The new details about Target's breach illustrate just how vulnerable large corporations have become as they expand and connect computer networks to offer greater convenience and increase productivity.
U.S. Secret Service spokesman Brian Leary confirmed that Fazio Mechanical Services is being investigated, but wouldn't provide details.
Molly Snyder, spokeswoman for Minneapolis-based Target, declined comment citing the ongoing investigation.
Federal prosecutors in Pittsburgh referred calls to their counterparts in Minnesota, where Assistant U.S. Attorney Steve Schleicher, acting criminal division chief, declined comment on the Fazio link, in particular, and the overall investigation.
"Like Target, we are a victim of a sophisticated cyberattack operation," Ross Fazio, the company's president and owner, said in a statement. Fazio's company is cooperating with the Secret Service and Target to identify the possible cause of the breach, he said.
Fazio Mechanical Services also denied reports on blogs and other outlets that said the company remotely monitored heating, cooling and refrigeration for Target, which has about 1,800 stores nationwide.
Fazio said in the statement that his company has an electronic connection with Target, which it uses to submit bills and contract proposals.
In the weeks since Target disclosed the breach, banks, credit unions and other card issuers have cancelled and reissued cards, closed transactions or accounts, and refunded credit card holders for transactions made with the stolen data.
Target has said its customers won't be responsible for any losses.