> series: anatomy_of_a_breach —— part: 059 —— target: target_corporation —— customers: 110,000,000 —— entry: hvac_contractor<span class="cursor-blink">_</span>_
On 19 December 2013 — in the middle of the peak holiday shopping season — Target Corporation disclosed that attackers had stolen payment card data from approximately 40 million customers who had used their cards at Target stores between 27 November and 15 December 2013. In January 2014, Target revealed that personal information — names, addresses, phone numbers, and email addresses — for an additional 70 million customers had also been compromised. The total: 110 million individuals affected.
The entry point was not a vulnerability in Target's own systems — it was stolen credentials from Fazio Mechanical Services, a small HVAC (heating, ventilation, and air conditioning) contractor that had network access to Target for electronic billing and project management. The attackers compromised Fazio through a phishing email, stole their Target network credentials, used those credentials to access Target's network, moved laterally from the contractor portal to the point-of-sale environment, and installed card-skimming malware on POS terminals across 1,797 Target stores. The breach cost Target over $300 million in total — and its CEO and CIO both lost their jobs.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping CallThe Target breach is the definitive case study for supply chain risk through third-party vendor access. Fazio Mechanical was a small HVAC company with no dedicated IT security capability. They had been phished through a malicious email — a threat they were not trained or equipped to defend against. Yet they had credentials that provided network access to one of the largest retailers in the United States. The gap between Fazio's security posture and the sensitivity of the access they held was the vulnerability that the attackers exploited.
The Target breach cost over $300 million, terminated the careers of the CEO and CIO, and permanently changed how the retail industry thinks about vendor access, network segmentation, and point-of-sale security. For UK retailers covered in our retail sector analysis, the lessons are directly applicable: assess vendor access, segment your network, deploy MFA, monitor your POS environment, and test your defences before attackers test them for you.
Our penetration testing validates vendor segmentation. PCI DSS testing assesses payment security. Cyber Essentials mandates MFA and access controls. SOC in a Box for Retail monitors for POS malware and anomalous data flows. And UK Cyber Defence provides incident response when a breach is detected.
Our <a href="/penetration-testing/infrastructure">penetration testing</a> maps vendor access and tests segmentation. <a href="/cyber-essentials">Cyber Essentials</a> mandates MFA. <a href="https://www.socinabox.co.uk/sectors/retailers">SOC in a Box for Retail</a> monitors for POS compromise.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call