Target is an American retail corporation that operates a chain of discount department stores and hypermarkets. It is the seventh-largest retailer in the United States and is headquartered in Minneapolis, Minnesota. In 2013, Target was attacked and breached in one of cybersecurity’s most infamous retail breaches. Here is how that happened.
The Target data breach
Target was breached between November 27 and December 15, 2013. The breach was publicly disclosed on December 19 of the same year. The compromised data exposed 40 million credit and debit card numbers and 70 million customer records, including names, addresses, phone numbers, and emails.
How did it happen?
The initial compromise happened through a third-party vendor: attackers phished credentials from a HVAC contractor named Fazio Mechanical Services. Fazio had network access to Target’s systems for electronic billing, contract submission, and project management. This remote access wasn’t segmented from other parts of Target’s internal network.
Once inside, attackers moved laterally through the internal network, escalated privileges, and gained access to the POS network where credit card data was processed.
Finally, they deployed malware to the POS devices. This malware is a RAM scraper called BlackPOS. It scrapes card data from the POS memory immediately after a swipe, before the data is encrypted. The stolen card data was finally exfiltrated to FTP servers, and later resold on dark web marketplaces.
What went wrong?
In the Target data breach, hackers exploited the weaknesses in their systems at different levels:
- Poor network segmentation
- Missed alerts
- Vendor over permissions
- No endpoint containment
The impact of the target data breach
The impact of the Target data breach was unprecedented: 110 million customers, including cardholders and PII victims, were affected. The financial cost of the breach is estimated at $292 million (according to SEC filings), with $90 million reimbursed by the insurance. Target was hit with dozens of lawsuits from customers, banks, and shareholders, and they sustained considerable reputation damage with lost consumer trust. Target’s stocks dropped in price, and the recovery took months. As a result, their CEO/CIO resigned in 2014.
Response and remediation
After the breach, Target launched a massive internal investigation with Mandiant and the U.S. Secret Service. They overhauled third-party vendor access control and rolled out EMV chip-and-PIN technology, accelerating its adoption in the United States. They also hired a Chief Information Security Officer (CISO) and invested heavily in SIEM systems and alert escalation protocols.
Who was behind the Target Data Breach?
The Target data breach of 2013 was carried out by a Russian cybercrime group, with evidence linking the attack to a 16-year-old hacker from Russia who developed part of the malware used, and an organized group of threat actors who monetized the stolen data.
The BlackPOS (also known as “Kaptoxa”) malware’s author was Sergey Taraspov (also known by the alias “ree4”).
While Taraspov likely didn’t launch the attack, his malware was sold on underground forums and used in several high-profile breaches. The “Rescator” group and underground carding networks were responsible for selling stolen payment data to fraudsters.
The legacy of the Target data breach
Ultimately, the Target data breach had much broader implications than the damage to the company itself: it raised awareness of supply chain vulnerabilities. It helped recognize POS systems as critical infrastructure. The breach helped catalyze the U.S. transition to chip-based payment cards, and the attack is used as a case study in cyber insurance to underwrite high-exposure policyholders.
This attack brought cyber risk discussions to executives and boardrooms, laying the basis for implementing Zero-Trust Architecture.