Target POS malware breach
Attackers entered Target via stolen credentials from an HVAC contractor, pivoted to the payment network, and stole magstripe data on 40 million credit and debit cards plus PII on 70 million customers.
- Victim
- Target Corporation
- Loss
- $292.0M
- records
- 110.0M
- users
- 110.0M
In the run-up to Christmas 2013, attackers planted BlackPOS memory-scraping malware on Target Corporation's point-of-sale terminals across the United States and exfiltrated magstripe data on 40 million payment cards plus PII on 70 million customers. The entry point was a third-party HVAC contractor that had remote network access to Target's billing portal β making this the case study that put third-party risk on every CISO's agenda.
What happened
The intrusion began with a spearphishing email to Fazio Mechanical Services, a Pennsylvania HVAC contractor that monitored Target's heating, ventilation, and air conditioning systems for energy efficiency. Fazio's anti-malware was a free consumer-grade tool unsuitable for an organization with privileged remote access to a Fortune 50 retailer's network.
Attackers harvested Fazio's credentials for Target's external Ariba billing portal and used them to log in. From there, they pivoted internally β exploiting weak network segmentation between Target's vendor-management infrastructure and its payment processing network. The vendor portal should never have had a path to the POS environment; it did, and the attackers found it.
On the eve of Black Friday 2013, the operators deployed BlackPOS (also known as Kaptoxa, "potato" in transliterated Russian) β a memory-scraping POS malware that captured payment card track data from RAM at the moment of swipe, before the data was encrypted. Card data was staged on a small number of internal servers, then exfiltrated to drop sites in Brazil and Russia.
The most painful detail in the post-mortem: Target's FireEye deployment alerted on the malware on 30 November 2013 β three weeks before public disclosure. The alerts were forwarded to Target's outsourced SOC in Bangalore, which deemed them not critical. Internal Target SOC also did not action them.
Impact
- 40 million payment cards stolen with full track-1/track-2 magstripe data β enabling clone-card fraud across U.S. retailers.
- 70 million customer records (names, addresses, phone numbers, email) stolen separately.
- Direct costs to Target: ~$202M before insurance, including:
- $18.5M multi-state attorneys general settlement (2017, the largest U.S. AG breach settlement at the time)
- ~$10M class action settlement for affected consumers
- $39.4M settlement with banks for card reissuance costs
- $100M+ in EMV upgrade / IT remediation
- CEO Gregg Steinhafel resigned in May 2014 β the first Fortune 500 CEO to leave directly over a cyber incident, setting a precedent for board-level cyber accountability.
- CIO Beth Jacob resigned in March 2014.
Why it matters
Target is the canonical case for third-party risk and network segmentation failure. It established:
- That a single weak link in the vendor chain can compromise a Fortune 50 retailer. The HVAC contractor was treated as a low-priority vendor; their credential set was the entry vector for the most damaging U.S. retail breach to date.
- That alerts without action are worse than no alerts β Target had top-tier detection (FireEye), and it caught the attack, but the response chain failed.
- That board-level cyber accountability is a viable consequence of major incidents. The Steinhafel resignation reset C-suite expectations about who owns cyber outcomes.
- That payment card industry standards (PCI-DSS) by themselves do not prevent breaches. Target was PCI-compliant at the time of the attack.
The U.S. retail sector's accelerated transition to EMV chip cards following Target was the largest behavioural change driven by a single breach β by late 2015, U.S. liability for magstripe fraud had shifted to whichever party (merchant or issuer) had failed to support chip transactions.
Financial impact
Reported costs in USD
- Business loss$90.0M
- Remediation$100.0M
- Fines & settlements$102.0M
Timeline
Attackers send a Citadel-variant trojan via spearphishing email to Fazio Mechanical Services, a Pennsylvania HVAC contractor servicing Target HVAC systems.
Attackers use Fazio's compromised credentials to log into Target's external billing portal, then pivot internally to Target's corporate network.
On the eve of Black Friday, BlackPOS / Kaptoxa malware is deployed across Target's point-of-sale infrastructure. RAM-scraping captures track-1/track-2 magstripe data at checkout.
FireEye's network monitoring (deployed at Target) detects and alerts on the malware. The alerts are not actioned by Target's SOC in Bangalore.
U.S. Department of Justice notifies Target of the breach after stolen cards begin appearing on Russian criminal markets ('Rescator' carding store).
Brian Krebs publicly breaks the story; Target confirms 40M payment cards stolen.
Target expands disclosure: 70M additional records (names, addresses, emails) also stolen.
CIO Beth Jacob resigns.
CEO Gregg Steinhafel resigns β first U.S. Fortune 500 CEO to leave directly over a cyber incident.
Target settles with 47 U.S. state attorneys general for $18.5M; total combined settlements + remediation exceed $292M.
Sources
- krebsonsecurity.comhttps://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
- commerce.senate.govhttps://www.commerce.senate.gov/services/files/24d3c229-4f2f-405d-b8db-a3a67f183883
- ftc.govhttps://www.ftc.gov/news-events/news/press-releases/2017/05/target-pay-185-million-multistate-settlement-2013-data-breach