Fazio Mechanical Services, a third-party HVAC contractor with remote network access to Target's systems, had its credentials stolen via a phishing email deploying the Citadel banking trojan. The stolen credentials provided the initial foothold into Target's network.

BlackPOS (Kaptoxa) malware was deployed on a significant fraction of Target's 1,800 US store POS terminals, harvesting payment card data from system memory between swipe and encryption. The malware exfiltrated 40 million card numbers over 21 days.

Target's FireEye intrusion detection system generated alerts during the malware installation phase. Those alerts were not escalated or acted upon. This failure of internal detection and response compounded the initial vendor-access vulnerability.

Journalist Brian Krebs at KrebsOnSecurity.com was first to publicly report the breach, on 18 December 2013, based on banking industry sources who had observed a pattern of card fraud traced to Target purchases. Target confirmed the breach the same day.

CIO Beth Jacob resigned in March 2014; CEO Gregg Steinhafel resigned on 5 May 2014. Both departures were attributed by the board and analysts to the breach and the company's handling of it. Steinhafel had been with Target for 35 years.

Target reached an $18.5 million settlement with the attorneys general of 47 states in May 2017. Cumulative costs including fraud reimbursements, legal fees, security upgrades, and settlements were estimated at approximately $300 million over subsequent years.

Reports indicated Fazio used a free version of Malwarebytes that did not include real-time protection as its primary endpoint security tool. Whether this directly caused the Citadel infection is debated; the adequacy of vendor security assessments by Target is a separate question.

The Target breach accelerated the US payment card industry's EMV (chip-and-PIN) migration timeline and prompted revisions to PCI DSS third-party vendor access standards. The 2015 EMV liability shift became a direct industry response to lessons from Target and subsequent breaches.

The Target breach began when attackers compromised credentials of Fazio Mechanical Services, Target's HVAC vendor, and used network access granted for electronic billing and project management to pivot to the point-of-sale environment. This attack vector — third-party vendor credential compromise — was a novel and sophisticated technique at the time, not a well-known risk that Target had deliberately ignored. The attack vector has since become a recognized supply-chain risk category and informed subsequent NIST and PCI DSS guidance.

Target CEO Gregg Steinhafel resigned in May 2014 — a significant accountability event that corporations rarely accept voluntarily. The breach also accelerated US adoption of EMV chip-card standards and PCI DSS 3.0's enhanced third-party vendor security requirements. These outcomes reflect the accountability mechanisms working — reputational pressure forcing leadership change and industry standards reform — not a system designed to protect corporations from consequences of security failures.

Fazio Mechanical Services, a third-party HVAC contractor with remote network access to Target's systems, had its credentials stolen via a phishing email deploying the Citadel banking trojan. The stolen credentials provided the initial foothold into Target's network.

BlackPOS (Kaptoxa) malware was deployed on a significant fraction of Target's 1,800 US store POS terminals, harvesting payment card data from system memory between swipe and encryption. The malware exfiltrated 40 million card numbers over 21 days.

Target's FireEye intrusion detection system generated alerts during the malware installation phase. Those alerts were not escalated or acted upon. This failure of internal detection and response compounded the initial vendor-access vulnerability.

Journalist Brian Krebs at KrebsOnSecurity.com was first to publicly report the breach, on 18 December 2013, based on banking industry sources who had observed a pattern of card fraud traced to Target purchases. Target confirmed the breach the same day.

CIO Beth Jacob resigned in March 2014; CEO Gregg Steinhafel resigned on 5 May 2014. Both departures were attributed by the board and analysts to the breach and the company's handling of it. Steinhafel had been with Target for 35 years.

Target reached an $18.5 million settlement with the attorneys general of 47 states in May 2017. Cumulative costs including fraud reimbursements, legal fees, security upgrades, and settlements were estimated at approximately $300 million over subsequent years.

Target CEO Gregg Steinhafel resigned in May 2014 — a significant accountability event that corporations rarely accept voluntarily. The breach also accelerated US adoption of EMV chip-card standards and PCI DSS 3.0's enhanced third-party vendor security requirements. These outcomes reflect the accountability mechanisms working — reputational pressure forcing leadership change and industry standards reform — not a system designed to protect corporations from consequences of security failures.

Reports indicated Fazio used a free version of Malwarebytes that did not include real-time protection as its primary endpoint security tool. Whether this directly caused the Citadel infection is debated; the adequacy of vendor security assessments by Target is a separate question.

The Target breach accelerated the US payment card industry's EMV (chip-and-PIN) migration timeline and prompted revisions to PCI DSS third-party vendor access standards. The 2015 EMV liability shift became a direct industry response to lessons from Target and subsequent breaches.

The Target breach began when attackers compromised credentials of Fazio Mechanical Services, Target's HVAC vendor, and used network access granted for electronic billing and project management to pivot to the point-of-sale environment. This attack vector — third-party vendor credential compromise — was a novel and sophisticated technique at the time, not a well-known risk that Target had deliberately ignored. The attack vector has since become a recognized supply-chain risk category and informed subsequent NIST and PCI DSS guidance.