Target Corporation — 2013 card breach

The Target breach is the canonical case study for “the supplier is the path”. Attackers obtained the credentials of Fazio Mechanical Services, a Pennsylvania-based heating and ventilation contractor, through a Citadel banking trojan infection on a Fazio employee’s PC. Fazio used those credentials to access a Target supplier portal for invoicing and project tracking. From the supplier portal, the attackers found their way onto Target’s broader internal network, where they discovered that point-of-sale systems were reachable from the same flat network as the supplier-facing systems. Over a window in late November and early December 2013 — peak shopping season — the attackers deployed BlackPOS memory-scraping malware on the POS terminals and exfiltrated track-data for 40 million credit and debit cards as customers tapped them at the till. Personal data on a further 70 million customers, partly overlapping with the card victims, was taken from a separate database during the same intrusion.

Target’s own security tooling, including a then-new FireEye deployment, generated alerts during the malware deployment phase. Internal review later established that the Symantec endpoint product also flagged the attacker’s tooling. Both alerts were investigated and dismissed. The breach was discovered externally — the US Department of Justice notified Target on 12 December after card-fraud patterns surfaced on a stolen-card market. Target disclosed publicly on 19 December, ahead of the holiday weekend, with a confirmed 40-million-card figure that was revised upward in subsequent disclosures.

Direct costs reached approximately $292 million, including a $39 million card-issuer settlement, an $18.5 million state attorneys-general settlement, a $10 million consumer class-action settlement, and an FTC consent order. The CEO and CIO both departed within months. The breach is widely credited with accelerating the US shift from magnetic-stripe to EMV chip cards, a deployment that had been mandated by the card networks for October 2015 and that the Target incident moved from compliance project to board-level priority.

Defender takeaway: trust hierarchies between organisations don’t translate into trust hierarchies inside a network. Fazio’s portal account was a legitimate, low-trust supplier credential. The path from that credential to a POS terminal scraping live card-track data ran through a flat internal network that had never been segmented because no one had ever asked “what is the worst thing the HVAC contractor could do if compromised?” The post-incident reports identify several specific architectural changes — vendor isolation networks, POS environment segmentation under the same PCI-DSS scope discipline now enforced everywhere, restricted east-west traffic between zones — that have since become baseline expectations. The other lesson is alert-fatigue: Target’s tools detected the intrusion. The humans who triaged the alerts did not act on them. This is now the normal mode of breach disclosure rather than the exception.