.png)
Target Corporation Data Breach 2013
Breach Summary
The Target data breach of 2013 remains one of the most consequential retail cyberattacks in history, exposing 40 million payment cards and 70 million customer records during the peak holiday shopping season. It fundamentally changed how corporations, boards, and regulators think about third-party vendor risk and network segmentation.
What Happened
Between November 27 and December 15, 2013, attackers operated inside Target's point-of-sale network, capturing payment card data from every swipe at Target's approximately 1,800 US stores. The breach was active throughout the busiest shopping period of the year. Target was notified of the breach by the US Secret Service on December 12, 2013, based on intelligence from the banking industry that traced compromised cards to common merchant points. Public disclosure came December 19.
Attack Vector Detail
Attackers gained initial access using stolen credentials from Fazio Mechanical, an HVAC subcontractor with remote network access for refrigeration monitoring. From that foothold, they moved laterally to Target's point-of-sale systems, deploying RAM-scraping malware called BlackPOS that captured card data in real time as transactions were processed. The attacker's pivot from the vendor network to POS systems succeeded because internal network segmentation was insufficient — the two segments could communicate in ways never intended by Target's security architecture.
Target's FireEye security system correctly detected and alerted on the malware. The alerts were reviewed by the security operations team in Bangalore, who escalated. The US team did not act. The malware operated for 19 days before external notification from US Secret Service prompted a meaningful response.
Breach Pattern Timeline
September 2013
Attackers compromise Fazio Mechanical Services, a Target HVAC contractor in Pennsylvania, via an email phishing campaign that delivers Citadel malware. Steal Fazio's vendor portal credentials for Target's Ariba supplier system.
November 15, 2013
Attackers use Fazio credentials to access Target's network. Pivot from vendor portal to internal systems exploiting inadequate network segmentation between vendor and POS systems.
November 27, 2013
Attackers deploy 'BlackPOS' (Kaptoxa) malware on Target POS terminals. Begin scraping payment card data from Track 1/Track 2 magnetic stripes during card authorization.
November 30, 2013
FireEye threat detection at Target generates alerts about the malware. Alerts are reportedly investigated but not escalated to remediation.
December 2-15, 2013
Attackers exfiltrate 40 million payment card records and 70 million customer records (including names, addresses, phone numbers, email addresses) via FTP to staging servers in Russia.
December 12, 2013
U.S. Department of Justice notifies Target of the breach after multiple banks identify Target as the common point of card fraud.
December 19, 2013
Target publicly confirms breach: 40 million payment cards. Holiday-season disclosure triggers immediate consumer trust crisis. December 27, 2013: Target reveals additional 70M customer records exposed.
February 2014
CEO Gregg Steinhafel resigns. CIO Beth Jacob resigns. Target appoints first Chief Information Security Officer.
December 2015
Target settles class action with consumers for $10 million.
May 2017
Target settles with 47 state attorneys general for $18.5 million — the largest multi-state data breach settlement at the time.
2014-2017
Total breach-related costs disclosed in Target's 10-K filings: $292 million pre-tax, $202 million net of insurance recoveries. Target invests heavily in EMV chip card adoption, network segmentation, and CISO function buildout.
Total impact: 110 million records (40M payment cards + 70M customer records), $292M total breach costs, $18.5M state AG settlement, foundational precedent for third-party vendor risk and the CISO function as a board-level accountability.
Executive Lessons
Target established the model for third-party vendor compromise as a major breach vector — a model that has since been replicated in SolarWinds, 3CX, and dozens of other supply chain attacks. The breach also produced the first major US retail CEO departure directly attributable to a cybersecurity incident, establishing executive accountability for breach consequences in a way that had not previously been documented at scale. The $18.5 million state AG settlement and associated regulatory actions reinforced that retailers are obligated to protect payment card data under PCI DSS standards regardless of how the breach occurs.
Related Reading
Private Equity Implications
The Target breach established that inadequate vendor access controls and network segmentation create material liability. For PE sponsors with retail, hospitality, or any consumer-facing portfolio companies, the segmentation question is critical: if a vendor connection were compromised tomorrow, what systems could an attacker reach? The answer frequently surprises both portfolio company leadership and PE sponsors.