NEW YORK —
Stasiak emphasized that the thieves would have still needed to do some serious hacking to move through Target's network and reach the checkout system.
Chester Wisniewski, an adviser for the computer security firm Sophos, said that while it may seem shocking that Target's systems are that connected, it is a lot cheaper for a company to manage one network rather than several.
He added that while retailers are supposed to keep consumer information separate, they are not required to house it on a separate network.
Still, he said he was extremely surprised to hear that the hackers may have gotten in via a billing system, saying those kinds of connections are supposed to provide extremely limited access to the other company's network.
As a result, while the hackers were clearly talented, it's obvious something went wrong on Target's end, he said.
"If normal practices were followed, they wouldn't have been able to get access," Wisniewski said.
Secret Service spokesman Brian Leary confirmed that investigators are looking into the attack at Fazio Mechanical Services, but wouldn't provide details. Molly Snyder, spokeswoman for Minneapolis-based Target, would not comment.
Federal prosecutors in Pittsburgh referred calls to their counterparts in Minnesota, who would not discuss the investigation.
In the weeks since Target disclosed the breach, banks, credit unions and other card companies have canceled and reissued cards, closed accounts and refunded credit card holders for transactions made with the stolen data.
The Consumer Bankers Association said that its members have replaced over 17.2 million debit and credit cards as a result of the Target breach, at a cost of over $172 million.
Target has said its customers won't be responsible for any losses.