Summary
During the 2013 holiday shopping season, attackers stole about 40 million payment-card numbers and personal data on roughly 70 million Target customers, one of the largest retail breaches in history. They did not start at Target. They started at Fazio Mechanical, a refrigeration and HVAC contractor that held an account on Target's vendor portal for billing and project management, phished its staff, and stole its login. Contrary to the popular retelling, Fazio had no remote access to Target's heating or refrigeration systems; it was an ordinary billing account. But because Target's network was flat, that low-value vendor login became a path all the way to the checkout lanes, where the attackers installed memory-scraping malware on the registers to grab card data as it was swiped. Target's own recently deployed detection system caught the malware and raised alerts, and the alerts were not acted on. The breach cost well over $200 million and became the defining lesson in third-party risk, network segmentation, and actually responding to your own alarms.
How it happened
The way in was a vendor account nobody thought to guard. In the autumn of 2013, attackers sent phishing emails to employees of Fazio Mechanical Services, a Pennsylvania refrigeration contractor, and infected its machines with malware (reported to be Citadel, a password-stealing trojan) that stole the credentials Fazio used to log into Target's external vendor portal for electronic billing, contracts, and project management. Those credentials should have been a dead end: a contractor's billing account has no business reaching a cash register. But Target's network was not segmented, so the attackers used that foothold to upload a web shell to a Target web application, queried Active Directory for database servers, used pass-the-hash to escalate and move laterally, and created a domain-admin account (named best1_user to blend in) before reaching the point-of-sale environment.
There they deployed BlackPOS (also called Kaptoxa), a piece of RAM-scraping malware. Card data is encrypted on disk and in transit, but for a brief moment, while the point-of-sale software processes a swipe, the card number sits in plaintext in memory. BlackPOS read it straight out of RAM on roughly 40,000 of Target's 60,000 registers across all 1,797 US stores, collected it on an internal staging server, and pushed it out through the built-in Windows FTP client to drop sites. Between 27 November and 15 December 2013 it harvested around 40 million cards.
The part that stung most: Target had deployed FireEye about six months earlier, and it worked. It flagged the malware on 30 November and again on 2 December, and the alerts went from Target's monitoring team in Bangalore to its security operations center in Minneapolis, which did not act on them (an auto-delete feature that could have removed the malware had been turned off), and even Symantec's antivirus independently flagged the activity. The breach became public only when the journalist Brian Krebs reported it on 18 December, after banks noticed a wave of fraud.
The damage
About 40 million payment cards and personal information on roughly 70 million people were stolen. Banks reissued millions of cards; costs to issuers and to Target ran to roughly $202 million net ($292 million gross, less about $90 million of insurance), and Target later agreed to an $18.5 million settlement with 47 states and the District of Columbia, the largest data-breach settlement of its time, which also required it to segment its network, add two-factor authentication, and appoint a chief information security officer. Its CEO, Gregg Steinhafel, resigned, one of the first chief executives to lose his job directly over a cyberattack, followed by its chief information officer. The breach also became a major argument for moving the US to chip-based (EMV) payment cards, which make stolen magnetic-stripe data far less useful.
Why Target still matters
Target is the canonical third-party-risk story: the weakest link in your security is not always inside your own walls, and an attacker will happily enter through a contractor you forgot you had connected. It is also a segmentation lesson, a flat network turned a billing-portal foothold into access to every register, and a detection lesson with a painful twist. Target was not blind; it had bought and deployed exactly the technology that caught the attack. The failure was the human loop after the alert, which is the part no tool fixes for you.
How to fix it
- Cut the compromised third-party access immediately and reset the affected vendor and internal credentials.
- Pull the malware from POS and endpoints, reimage, and rotate keys and certificates the attacker could have reached.
- Act on the alerts: triage what monitoring already flagged and reconstruct lateral movement from vendor portal to POS.
- Notify the card networks and issuers, and contain the cardholder-data environment.
How to avoid it
- Segment the network so a vendor or low-trust system can never route to payment or production systems; isolate the cardholder-data environment.
- Give third parties least-privilege, scoped, MFA-protected access, and monitor and time-box it.
- Tune and staff your alerting so high-fidelity detections get acted on, not buried.
- Restrict and monitor egress so bulk data exfiltration stands out.
- Use point-to-point encryption or tokenization so POS memory never holds usable card data.
References
- https://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/
- https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
- https://www.commerce.senate.gov/services/files/24d3c229-4f2f-405d-b8db-a3a67f183883
- https://www.csoonline.com/article/548244/security0-11-steps-attackers-took-to-crack-target.html
Related vulnerabilities
All OpSec →- CRITICALOPSEC-MIDNIGHT-BLIZZARD-2024
In January 2024, Microsoft revealed that Russia's foreign-intelligence service, the same APT29 behind SolarWinds, had been reading the email of its senior leadership. The way in was almost insulting in its simplicity: a forgotten, non-production test account with a weak password and no MFA. The attackers guessed the password by spraying common ones across many accounts, then pivoted through a forgotten over-privileged application to grant themselves access to corporate mailboxes, including those of executives and the security and legal teams. It is the lesson that your security is only as strong as the account you forgot about, and that even Microsoft's perimeter fell to a missing MFA checkbox.
- CRITICALOPSEC-MGM-CAESARS-2023
In September 2023, two of the biggest names in Las Vegas, MGM Resorts and Caesars Entertainment, were brought to their knees, not by a sophisticated exploit, but by a phone call. The Scattered Spider group simply called the companies' IT help desks, impersonated employees, and talked the support staff into resetting their multi-factor authentication, handing the attackers a way in. From there they deployed ALPHV/BlackCat ransomware. Caesars paid about $15 million; MGM refused and took a roughly $100 million hit as slot machines, hotel keys, and check-in systems went dark for days. It is the lesson that the help desk is part of your attack surface, and that the most advanced MFA is undone by a human who can be convinced to reset it.
- CRITICALOPSEC-LASTPASS-2022
LastPass is a password manager, the digital vault tens of millions of people trusted with every password they have. In 2022 attackers got into it, and the breach unfolded in a way that turned a developer's home computer into a path to those vaults. A first intrusion stole source code. The attackers used it to identify and target one of only four engineers who held the keys to production backups, planting a keylogger on his home PC through an unpatched flaw in, of all things, his Plex media server. With his master password captured, they exfiltrated backups of customers' encrypted password vaults. The encryption held, but anyone with a weak master password was now exposed to offline cracking at the attacker's leisure. It is the lesson that a vault is only as strong as the master password protecting it, and that your blast radius includes your engineers' home machines.
- HIGHOPSEC-TWILIO-2022
On 7 August 2022, Twilio, a company whose entire business is sending text messages and verification codes for other companies, was breached through text messages. Attackers ran an SMS phishing campaign against Twilio's own employees, texting them fake "your password expired" alerts from numbers that looked like Twilio IT and linking to convincing fake login pages. Several staff entered their credentials, handing over access to internal tools and the data of more than 200 customers, and rippling downstream to users of the secure-messaging app Signal. It was one strike in a sprawling campaign, dubbed 0ktapus, that phished around 130 companies the same way. It is the lesson that phishing-resistant MFA exists for a reason: ordinary credentials and codes can always be talked out of a human.
- HIGHOPSEC-TWITTER-2020
On 15 July 2020, the Twitter accounts of Barack Obama, Joe Biden, Elon Musk, Bill Gates, Jeff Bezos, and Apple all tweeted the same thing: send Bitcoin and I will send back double. It was a scam, and it ran from inside Twitter. Attackers had phoned a handful of Twitter employees, posed as IT, and talked them out of their credentials, which gave access to an internal admin tool that could take over any account on the platform. The mastermind turned out to be a 17-year-old. It is the lesson that a powerful internal "god-mode" tool is only as secure as the most socially-engineerable employee who can reach it.
- CRITICALOPSEC-MARRIOTT-STARWOOD-2018
In November 2018 Marriott disclosed that the Starwood guest-reservation database had been breached. The headline number moved as the investigation went on, from an initial 500 million down to a refined estimate of around 339 million guest records, including 5.25 million unencrypted passport numbers. The most striking detail was the dwell time: attackers had been inside the Starwood system since July 2014 and went undetected for more than four years, straight through Marriott's 2016 acquisition of Starwood. Marriott inherited the compromised infrastructure without knowing intruders were already in it, and only an internal security tool flagging an unusual database query in September 2018 finally surfaced the breach, which US government sources attributed to Chinese state-linked actors. It led to a $52 million multi-state settlement and a 20-year FTC security order. It is the lesson in mergers-and-acquisitions cyber due diligence, dwell-time detection, and protecting and encrypting sensitive records.