Report: HVAC vendor confirms possible link to Target breach
Minneapolis — Fazio Mechanical Services Inc., a heating and refrigeration vendor based in Sharpsburg, Pa., has reportedly confirmed it was the victim of a cyber attack that may have allowed hackers to gain access to financial and personal data of millions of Target customers. According to the Associated Press, the Secret Service confirmed it is investigating Fazio, which released a public statement acknowledging the investigation.
The investigation centers on a hack of a data connection Fazio dedicates to electronic billing, contract submission and project management for Target. The company said it does not remotely monitor actual heating/refrigeration activities and that it does not use the compromised connection for any other clients.
"Like Target, we are a victim of a sophisticated cyber attack operation," Fazio president and owner Ross Fazio said in a statement. "We are fully cooperating with the Secret Service and Target to identify the possible cause of the breach and to help create proactive initiatives that will further enhance the security of client/vendor connections making them less vulnerable to future breaches."
Target declined to comment in the article.
SunEdison completes 306 kW solar system for Whole Foods in Brooklyn
Belmont, Calif. — SunEdison, a solar technology manufacturer and provider of solar energy services, announced the completion of a 306 kW DC (direct current) solar system for Whole Foods Market in Brooklyn, N.Y.
SunEdison designed the system using an innovative parking canopy structure that collects rainwater while protecting customers from the elements. The two companies have worked together since 2004 and have jointly deployed 1.5 MW (megawatts) of solar projects.
Whole Foods Brooklyn is designed to be 0% more energy efficient than the average grocery store with more than 25% of site power needs being met by solar energy. The rainwater collected by the parking canopy is fed into a 30,000-gallon underground cistern where it is filtered and used for non-potable purposes throughout the store.
"Environmental stewardship is an essential part of our core values and we spend a tremendous amount of our time thinking about how we can improve our efforts," said J’aime Mitchell, green mission specialist for Whole Foods Market’s Northeast Region. "Working with a partner like SunEdison has been a tremendous benefit for us as they’re continuously willing to create innovative designs that help us achieve our renewable energy goals."
Report: Target hackers used HVAC-service company’s credentials
Minneapolis – The hackers responsible for the recent Target data breach reportedly gained initial access to the retailer’s network using credentials stolen from a heating, ventilation and air conditioning (HVAC) vendor. According to the New York Times, the hackers, using the vendor’s access, were able to break into Target’s network and from there were able to compromise a server storing the personal data of 70 million customers, as well as in-store POS systems that allowed access to 40 million credit and debit card numbers.
In related news, Reuters reported the U.S. Secret Service visited refrigeration contractor Fazio Mechanical Services, Sharpsburg, Pa., this week to determine its possible connection with Target’s security breach. Target is a client of Fazio’s, and law enforcement officials suspect that hackers stole login credentials from Fazio and may have used them to break into Target’s network. Security blogger Brian Krebs reported that Fazio president Ross Fazio had confirmed the visit by the Secret Service in connection with the Target probe.
Target did not comment on the report.
Security specialists confirmed for the Times that Target’s HVAC system, similar to many other retailers’ systems, is connected to the Internet, but it is not currently clear whether Target required the HVAC vendor to use a second, temporary password in addition to the credentials or if Target’s vendors connect to its network via virtual private network (VPN), which is more secure than direct access. Target passed a security audit in November 2013, the same month when the breach initially occurred.
Read an Expert Opinion on the subject by Dwayne Melancon, chief technology officer, Tripwire.