Fazio Mechanical Services Inc., of Sharpsburg, issued the statement after Internet security bloggers identified it as the third-party vendor through which hackers accessed Target's customer information. Target had previously told reporters the store believed hackers accessed 40 million of its customers' card numbers through a vendor's system.
U.S. Secret Service spokesman Brian Leary has confirmed an investigation into Fazio's business, but wouldn't provide details.
Molly Snyder, spokeswoman for Minneapolis-based Target, declined comment because of the "active an ongoing investigation."
Federal prosecutors in Pittsburgh - whose offices are just a few miles from the heating and refrigeration company - referred calls to their counterparts in Minnesota, where Assistant U.S. Attorney Steve Schleicher, acting criminal division chief declined comment on the Fazio link, in particular, and the overall investigation.
"Like Target, we are a victim of a sophisticated cyber attack operation," said a statement from Ross Fazio, the company's president and owner. "We are fully cooperating with the Secret Service and Target to identify the possible cause of the breach and to help create proactive initiatives that will further enhance the security of client/vendor connections making them less vulnerable to future breaches."
The company's statement also sought to dispel some information on blogs and other outlets that said the company remotely monitored heating, cooling and refrigeration for Target, which has about 1,800 stores nationwide.
"Our data connection with Target was exclusively for electronic billing, contract submission and project management, and Target is the only customer for whom we manage these processes on a remote basis," the statement said. "No other customers have been affected by the breach."
Target has said hackers stole about 40 million debit and credit card numbers and the personal information, including names, email addresses, phone numbers and home addresses of as many as 70 million customers. The chain has nearly 1,800 stores.
Banks, credit unions and other entities that issued debit and credit cards have had to cancel and reissue cards, close transactions or accounts, and refund or credit card holders for transactions made with the stolen data.
Target has said its customers won't be responsible for any losses.
A western Pennsylvania credit union, earlier this week, filed a lawsuit seeking class-action status on behalf of financial institutions nationwide that have spent time and money helping customers deal with the effects of the data breach.