It was November 2013. Thanksgiving week. Target’s busiest stretch of the year, when 40 million Americans would swipe their cards in the checkout line and think absolutely nothing of it.
By Black Friday, attackers had already been inside Target’s network for six days.
By the time the breach was discovered — not by Target, but by a third-party security firm that noticed Target’s stolen card data showing up for sale online — the damage was done. 40 million credit and debit card numbers. 70 million records containing names, addresses, phone numbers, and email addresses. The kind of breach that doesn’t just make the news; it gets its own congressional hearing.
The investigation that followed turned up something that surprised a lot of people, though in hindsight it probably shouldn’t have.
The attackers didn’t get in through Target.
What Actually Happened
Fazio Mechanical Services is a small HVAC company based in Sharpsburg, Pennsylvania. They had a business relationship with Target — handling refrigeration and HVAC maintenance for a number of Target’s stores. Like many vendors, they had remote network access to Target’s systems. For billing. For monitoring. For doing their job.
Someone sent a phishing email to a Fazio employee. The employee clicked. Malware called Citadel — a variant of the Zeus banking trojan — installed itself quietly in the background and harvested Fazio’s network credentials.
The attackers used those credentials to log into Target’s vendor portal.
From there, they moved laterally through Target’s network — past systems that perhaps should have been better segmented — until they reached the point-of-sale systems. Then they installed memory-scraping malware on Target’s checkout terminals. Every time a card was swiped, the data was captured in the brief moment it existed unencrypted in memory, packaged up, and shipped out.
One phishing email to an HVAC company. 110 million records.
The Detail That Really Stings
Here’s the part that gets buried in most retellings: Target’s security tools caught it.
The company had a security operations center — staffed by a team in Bangalore — that received automated alerts when the malware began operating. The alerts were real. The tools worked. The team reviewed them, flagged them, and escalated.
And then nothing happened.
The alerts got lost in a flood of notifications. The escalation didn’t result in action. The automated response features that could have contained the malware were turned off — not because of negligence exactly, but because in a large environment, automated blocking tends to generate a lot of false positives and the team had learned to be cautious about letting it run unattended.
By the time someone connected the dots, tens of millions of cards had already been compromised.
What This Means for You
The Target breach introduced a term into mainstream security conversations that still matters today: third-party risk.
Every vendor you give network access to is a potential entry point. Not because your vendors are bad actors — Fazio didn’t do anything wrong except click a phishing email, which happens to people in every company, every day — but because their security posture becomes part of your attack surface the moment you hand them credentials.
Ask your vendors about their security practices. It doesn’t have to be an interrogation. A basic questionnaire — do you have MFA, do you do security awareness training, how do you handle remote access — is a reasonable thing to ask of anyone who has a door into your network. The resources page on this site has vendor risk assessment templates if you want a starting point.
Segment your network. Fazio’s vendor access shouldn’t have been a path to Target’s point-of-sale systems. Those should have been on entirely separate network segments with strict controls on what could communicate with what. In a small business this looks like separating your guest WiFi from your internal systems. At scale it looks like more sophisticated segmentation, but the principle is the same: limit how far someone can move once they’re in.
Review your alert fatigue situation. If your security tools are generating so many alerts that your team has learned to tune them out, that’s a different kind of problem. The alerts that matter get lost in the noise. Prioritize fewer, better-tuned alerts over comprehensive ones that nobody can realistically process.
Target paid over $162 million in settlements. Their CEO and CIO both resigned. And Fazio Mechanical Services — the HVAC company that got phished — spent years dealing with the fallout from an event they didn’t really cause and couldn’t have easily prevented.
The lesson isn’t that you can’t trust your vendors. The lesson is that you can’t afford to not think about them.
