Security Historical

Target Breach: 40 Million Cards Stolen via Third-Party HVAC Contractor

Brian Krebs 19 December 2013 Indexed 04 Mar 2026

What happened

Attackers compromised Target's network by first breaching an HVAC contractor with network access. They then moved laterally to point-of-sale systems and installed malware that collected 40 million credit and debit card numbers during the 2013 holiday shopping season.[1]

What went wrong

Target gave a third-party HVAC vendor direct network access without isolating that access from payment systems. Network segmentation was inadequate, allowing lateral movement from HVAC credentials to POS terminals. Security alerts from monitoring tools were reportedly dismissed.[1]

Lesson learned

Third-party vendors with any network access must be isolated from critical systems via strict segmentation. Supply chain security is perimeter security — attackers will always target the weakest link, which is often a subcontractor.

Est. value burned ~$292M settlements + remediation

Sources

[1] Brian Krebs Target Breach: 40 Million Cards Stolen via Third-Party HVAC Contractor