While most Americans are familiar with the Target data breach that occurred from Black Friday through December 15th, what they really want to know now is how cyber thieves were able to gain access into Target’s network and then into their payment system.

Well Brian Krebs of Krebs On Security, the website that broke the original Target data breach story, reported on Wednesday that the cyber thieves were able to get onto Target’s network through a third party vendor. What’s shocking to some now is that the vendor was Fazio Mechanical Services, a Pennsylvania based company that does contract work for the retailer.

In earlier drafts of the report, Krebs said that it’s possible thieves could have gained access via Fazio, because some HVAC vendors have access to retailers environmental controls remotely. In high traffic environments, third party vendors sometimes monitor the temperature and conditions in a stores location by way of remote software which allows them to logon to a company’s network and then monitor those systems. It was unclear why, if that was the case, could the HVAC company also gain access to Target’s payment system. Unfortunately, Krebs reported that this was common practice sometimes for large corporations. They may not have their systems and networks separated because they require two step authentication.

On Thursday, Fazio responded to the report via a press release and confirmed that they were the vendor the thieves used for access, but they did not monitor Target’s HVAC systems remotely. Instead, the company was given access to Target’s network for sole purpose of “electronic billing, contract submission and project management, ” Fazio said in the statement.

Krebs reported that the cyber thieves may have gained access to Target’s network as early as November 15th. That’s why they started planting their malware on a handful of POS systems to see if it would work as planned. From November 28-December 15th the cyber-thieves had spread their malware across the entire network, cyphoning off information from more than 40 million customers.

Analysts, along with Krebs, agree that fixing the results of the data breach could cos Target nearly $500 million dollars. In addition to implementing new and more secure systems, which is expected to cost $100 million dollars, Target will most likely be held liable to banks and credit card providers that covered their customers in cases of fraud on their cards. Target could also be liable for the expenses associated with shutting down customer cards and then re-issuing them. They’ve also suffered tremendous losses during the holiday season with customers who chose to shop somewhere else after he breach initially surfaced.

Some of Target’s losses could be covered by insurance. Target reportedly has over $100 million dollars in cyber crime insurance and another $65 million in insurance protecting executives during crisis like these.

The secret service has determined that syphoned data was dumped on hacked servers in Miami and Brazil and the perpetrators are believed to be Eastern European and Russian.