Heating vents may have given Target hackers their opening

Network credentials boosted from a Target contractor specializing in ventilation systems are the way that hackers likely got access to the company.

Seth Rosenblatt Former Senior Writer / News

Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.

See full bio

Seth Rosenblatt

Feb. 5, 2014 4:33 p.m. PT

The credentials that hackers used to get into Target's network appear to have come from a compromised HVAC contractor. Target

The Target hack that shook the American credit card industry and delivered up to 110 million customer records to the bad guys was reportedly successful thanks to a side-door left open by a Target contractor.

The hackers were able to get credentials for Target's network stolen from Fazio Mechanical Services, a heating, ventilation, and air conditioning (HVAC) company, according to independent security reporter Brian Krebs. They were first used to access Target's network on November 15, 2013.

Fazio President Ross Fazio told Krebs that the US Secret Service, which customarily investigates these kinds of cases, visited his company's offices in Sharpsburg, Penn., but that he wasn't there during the visit.

A fraud analyst with Gartner estimated to Krebs that Target could be forced to pay up to $420 million to cover costs associated with the breach, including noncompliance with credit card network standards, banks reissuing cards, legal fees, credit monitoring, and other costs. Those costs apparently don't include an upgrade to the more secure chip-and-pin credit cards and card readers.