The Target Corp hackers managed to break into its payments network by first breaching a “data connection” between the U.S. retailer and its heating and ventilation systems contractor, a representative for the contractor said on Thursday.
The data connection was used by the vendor, Fazio Mechanical Services, to bill Target and exchange contract and project management information with the retailer, according to Dick Roberts, a public relations representative for Fazio.
Target, the third-largest U.S. retailer, has said the hackers stole about 40 million credit and debit card records, as well as personal information, such as addresses and phone numbers, belonging to about 70 million customers.
Target spokeswoman Molly Snyder declined on Thursday to comment on the company’s vendor relationships or to provide an update. “This is an active and ongoing investigation. I don’t have additional details to share at this time,” she said.
Last week, Target said the theft of a vendor’s credentials had helped cyber criminals pull off the massive data breach, which occurred during the holiday shopping season in late 2013. Target did not identify the vendor.
The U.S. Secret Service is investigating the Target attack, and said on Wednesday that its agents had visited the offices of Fazio Mechanical Services, based in Sharpsburg, Pennsylvania.
Fazio does not believe the hackers breached any data or data connections involving any of its other customers, Roberts said.
Ross E. Fazio, president and owner of Fazio Mechanical Services, said in a statement that his company was “fully cooperating” with Target and the Secret Service “to identify the possible cause of the breach.”
Fazio provides Target with heating, ventilation and air conditioning services, which are maintained physically. Fazio did not monitor these systems by remote control, Roberts said.