Target Point-of-Sale Breach
Attackers compromised Target's payment systems through an HVAC vendor, stealing 40 million credit card numbers and personal data from 70 million customers during the 2013 holiday shopping season.
Background
Target is one of the largest US retailers with thousands of stores processing millions of payment transactions daily. The 2013 breach became a watershed moment in retail cybersecurity and third-party vendor risk management.
The Attack
Attackers first compromised Fazio Mechanical Services, a small HVAC contractor with network access to Target for remote monitoring. Using stolen credentials, they pivoted into Target's internal network and installed custom malware on point-of-sale terminals across the US. The malware scraped card data from memory as cards were swiped, a technique called RAM scraping.
Response
Target's own security team had deployed a malware detection tool that flagged the intrusion, but the alerts were ignored. The breach was ultimately discovered by the Department of Justice via reports from financial institutions tracking fraudulent card use. Target removed the malware, replaced POS terminals, and began a major security overhaul.
Outcome
The breach cost Target $162 million in expenses and settlements, caused the CEO and CIO to resign, and significantly damaged the brand's reputation. It directly accelerated the US transition to chip-and-PIN cards and prompted sweeping changes to how retailers manage vendor access.
Key Takeaways
- Third-party vendor access is an often-overlooked attack surface
- Principle of least privilege — vendors need only the minimum access required
- Security alerts with no response process are worthless
- Network segmentation between corporate IT and POS systems is critical
- Chip-and-PIN cards make RAM scraping attacks far less valuable