In December 2013, Target Corporation disclosed one of the most consequential data breaches in retail history. The attack compromised approximately 40 million credit and debit card numbers and the personal information of up to 70 million additional customers. But the most remarkable aspect of the breach was not its scale — it was the entry point. Attackers gained access to Target's network through Fazio Mechanical Services, a small HVAC and refrigeration contractor based in Sharpsburg, Pennsylvania. The Target breach remains one of the most studied cases in third-party risk management, illustrating how a single under-monitored vendor relationship can expose an entire enterprise.
The Attack Timeline
The compromise began in September 2013 when at least one employee at Fazio Mechanical Services fell victim to a phishing email. The attackers used this initial foothold to steal the network credentials that Fazio used to connect to Target's vendor portal, which was intended for electronic billing, contract submission, and project management.
With valid vendor credentials in hand, the attackers accessed Target's network and began moving laterally. Between November 15 and December 15, 2013, they installed malware on point-of-sale (POS) systems across nearly 1,800 Target stores in the United States. The malware, a variant of the BlackPOS RAM scraper, captured payment card data as cards were swiped at checkout terminals.
| Impact Category | Details |
|---|---|
| Payment Cards Compromised | Approximately 40 million |
| Personal Records Exposed | Up to 70 million (names, addresses, phone numbers, email addresses) |
| Attack Duration | November 15 – December 15, 2013 (approximately 30 days) |
| Estimated Total Cost | Over $200 million (including $18.5M multistate settlement) |
| Discovery | December 12, 2013 (by DOJ notification); disclosed December 19, 2013 |
The Vendor Risk Failure
The core failure was not that Target used third-party vendors — every large organization does. The failure was in how vendor access was governed. According to the kill chain analysis published by the U.S. Senate Committee on Commerce, Science, and Transportation, several critical breakdowns occurred:
- Excessive network access: Fazio Mechanical's credentials provided access far beyond what was needed for HVAC monitoring and billing. The vendor portal was not adequately segmented from the corporate network or the cardholder data environment.
- No multi-factor authentication: Vendor access relied on single-factor credentials (username and password), making stolen credentials immediately usable.
- Insufficient vendor security vetting: Fazio Mechanical was a small contractor with limited cybersecurity capabilities. Reports indicated the company used a free version of Malwarebytes Anti-Malware as its primary security tool, with no enterprise-grade endpoint protection.
- Ignored automated alerts: Target's FireEye intrusion detection system generated alerts during the attack, but the security team did not act on them in a timely manner.
The Aftermath and Financial Impact
Target publicly disclosed the breach on December 19, 2013, after being notified by the U.S. Department of Justice. The fallout was swift and severe. CEO Gregg Steinhafel resigned in May 2014. Target's CIO Beth Jacob also stepped down. The company reported breach-related costs exceeding $200 million, offset partially by a $90 million insurance payout. In 2017, Target reached an $18.5 million settlement with 47 states and the District of Columbia, which was at that time the largest multistate data breach settlement in history.
Beyond the direct financial costs, Target experienced a measurable decline in customer traffic and sales during the 2013 holiday season. Consumer trust, once damaged, proved difficult to rebuild. The breach also triggered a wave of regulatory scrutiny that accelerated the adoption of chip-and-PIN payment technology in the United States.
Why This Case Matters for TPRM
The Target breach is often cited as the event that put third-party risk management on the boardroom agenda. Before 2013, many organizations treated vendor risk as a procurement concern or a compliance checkbox. After Target, it became clear that a failure in vendor risk management could threaten the entire enterprise.
Applying FAIR Risk Quantification
Using the FAIR (Factor Analysis of Information Risk) framework, organizations can quantify the risk posed by vendor relationships like the one between Target and Fazio Mechanical. By modeling the threat event frequency (how often vendor credentials are targeted), vulnerability (the likelihood those credentials provide meaningful access), and loss magnitude (the financial impact of a breach through that vector), security teams can prioritize investments in vendor risk controls based on quantified exposure rather than subjective risk ratings.
Had Target applied a FAIR-based analysis to its vendor access architecture, the extreme loss exposure associated with unsegmented vendor access to POS systems would have been immediately apparent. This is exactly the type of risk quantification that modern TPRM platforms are designed to support.
Protect Your Organization from Third-Party Risk
Fair TPRM is a free, open-source platform for vendor risk management, GRC compliance, and FAIR risk quantification.
Free Demo Download SourceSources & References
- Target Hackers Broke in Via HVAC Company - Krebs on Security, February 2014
- "A Kill Chain Analysis of the 2013 Target Data Breach" - U.S. Senate Committee on Commerce, Science, and Transportation, March 2014
- The Target Breach: A Case Study - Huntress Labs
- Target Agrees to Pay $18.5 Million in Multistate Data Breach Settlement - Various state attorneys general, May 2017
- Important Notice: Unauthorized Access to Payment Card Data - Target Corporation, December 2013