Security Historical

Target Breach: 40 Million Cards Stolen via Third-Party HVAC Contractor

Brian Krebs
Target Breach: 40 Million Cards Stolen via Third-Party HVAC Contractor
Target retail store entrance with the red bullseye logo, the US retailer whose POS systems were compromised via HVAC vendor.Image: Wikimedia Commons

What happened

Attackers compromised Target's network by first breaching an HVAC contractor with network access. They then moved laterally to point-of-sale systems and installed malware that collected 40 million credit and debit card numbers during the 2013 holiday shopping season.[1]

Attackers entered Target's network through an HVAC contractor's credentials and stole 40 million payment card numbers in the 2013 breach.Image: Bad.Technology archive
Target retail store exterior with logo and payment terminal
Image: Bad.Technology archive

What went wrong

Target gave a third-party HVAC vendor direct network access without isolating that access from payment systems. Network segmentation was inadequate, allowing lateral movement from HVAC credentials to POS terminals. Security alerts from monitoring tools were reportedly dismissed.[1]

Lesson learned

Third-party vendors with any network access must be isolated from critical systems via strict segmentation. Supply chain security is perimeter security — attackers will always target the weakest link, which is often a subcontractor.

Est. value burned ~$292M settlements + remediation
breachsupply-chainposretailthird-partyUS

Sources

  1. [1]
    Brian Krebs Wikipedia
    Target Breach: 40 Million Cards Stolen via Third-Party HVAC Contractor Wayback Machine snapshot

External links can go dark — pages move, paywalls appear, domains expire. Every source above includes a Wayback Machine snapshot link as a fallback. All citations are best-effort research; if a source contradicts our summary, the primary source takes precedence.

More in Security