Target Data Breach: Timeline, Cost, and Lessons Learned

Learn what the Target data breach teaches about vendor risk and credential security.

In late 2013, attackers stole payment card data from 40 million Target customers. Personal information from 70 million more was exposed too.

The total cost exceeded $200 million. But the breach didn’t start with some zero-day exploit. It started with stolen credentials from an HVAC vendor.

That attack pattern, a compromised vendor login used to reach a corporate network, still drives breaches today.

This case study breaks down how the Target data breach happened, what it cost, and what your security team can learn from it.

What Happened in the Target Data Breach?

The Target data breach of 2013 remains one of the most studied cyberattacks in retail history. The scale and simplicity of the attack made it a turning point for how companies think about security.

Attackers gained access to Target’s network in mid-November 2013. They used stolen credentials from Fazio Mechanical, a third-party HVAC vendor. Once inside, they moved laterally until they reached point-of-sale systems across 1,797 stores.

Over three weeks, malware on those POS systems captured payment card data from every in-store transaction. About 40 million cards were compromised. Attackers also stole personal information from 70 million additional customers.

The breach wasn’t discovered by Target’s own team. Their FireEye deployment generated alerts about the malware. Nobody investigated them. An external payment processor identified suspicious transactions and contacted Target in mid-December. By that point, attackers had been siphoning card data for nearly three weeks.

Attack Timeline

• Mid-November 2013: Attackers steal Fazio Mechanical credentials via phishing
• November 27: Malware installed on POS systems (Black Friday weekend)
• Late November: FireEye generates alerts about suspicious activity
• December 12: Department of Justice notifies Target of the breach
• December 15: Target removes malware from POS systems
• December 19: Target publicly discloses the breach
• January 2014: Target confirms 70 million additional records compromised

How Did Attackers Get Into Target’s Network?

The entry point wasn’t a zero-day exploit or some rare vulnerability. It was a compromised vendor login.

Fazio Mechanical, a Pennsylvania-based HVAC company, had remote access to Target’s network for electronic billing and contract submissions. Attackers phished Fazio employees and stole their login credentials.

With those credentials, attackers entered Target’s network. The critical failure was that Fazio’s access wasn’t isolated from sensitive systems. Attackers moved from the vendor portal to Target’s internal network and eventually reached the POS environment.

They installed RAM-scraping malware called BlackPOS on checkout terminals. This malware captured card data at the moment of the swipe, before encryption could protect it. The stolen data was staged on internal servers, then sent to external systems the attackers controlled.

The third-party attack vector used against Target is still one of the most common paths into corporate networks. The Verizon Data Breach Investigations Report consistently names stolen credentials as the top initial access method.

Vendor-related breaches have only become more common since Target. Attackers prefer targeting smaller companies with weaker security to reach larger companies through shared network connections.

How Much Did the Target Data Breach Cost?

The financial damage extended years beyond the initial incident. Target spent over $200 million in total when you add up every line item.

Settlement costs:

• $18.5 million multi-state settlement with 47 attorneys general
• $10 million settlement with affected customers
• $67 million settlement with Visa
• $39 million settlement with banks and credit unions

Direct expenses:

• $61 million in breach-related costs including investigation and legal fees

Business impact:

• Q4 2013 sales dropped 5.3% year over year
• Target’s stock price fell sharply after disclosure
• Both the CIO and CEO resigned
• Customer trust declined and took years to rebuild

The average data breach costs $4.88 million according to IBM’s Cost of a Data Breach Report. Target’s breach cost roughly 40 times that.

The brand damage was harder to quantify. Consumer surveys after the breach showed drops in shopping intent at Target stores. The company spent years rebuilding customer confidence through visible security investments and public transparency.

How Did Target Respond to the Breach?

Target’s initial response was slow, but the long-term security changes were real.

Immediate actions:

• Publicly disclosed the breach on December 19, 2013
• Offered free credit monitoring to affected customers
• Launched a forensic investigation with external security firms
• Cooperated with law enforcement and regulators

Long-term changes:

• Hired a new Chief Information Security Officer
• Built a Cyber Fusion Center for real-time threat monitoring
• Adopted chip-and-PIN technology for REDcard products
• Installed new payment terminals in all stores
• Increased cybersecurity budgets and employee training

Target’s breach response became a widely studied example of what to improve. The biggest lesson from the response: having security tools deployed isn’t enough. You need people and processes ready to act when alerts fire. Many companies increased their security investments after watching what happened to Target.

What Can Your Security Team Learn from the Target Breach?

The Target breach happened in 2013, but the attack pattern hasn’t changed. Here’s what still applies to your team today.

Monitor and Limit Vendor Access

Fazio Mechanical had broader access than they needed. Your vendors should only reach the specific systems required for their work. Every vendor with network access is a potential entry point. Treat vendor credentials with the same scrutiny you apply to employee accounts.

Review vendor permissions regularly and use third-party risk management practices to reduce your exposure.

Segment Your Network

If Target had isolated their POS environment from the general network, attackers couldn’t have pivoted from vendor access to payment systems. Network segmentation contains breaches. Even when attackers get in, segmentation limits what they can reach.

Act on Security Alerts

Target’s FireEye deployment detected the breach. The team didn’t respond. Build response playbooks for every alert type. Run tabletop exercises so your team knows exactly what to do when tools flag suspicious activity.

Watch for Stolen Credentials

The breach started with a compromised vendor account. Credential monitoring catches exposed passwords before attackers use them. If Target had detected Fazio’s compromised credentials on the dark web, they could have revoked access before the attack began.

Build and Test Your Incident Response Plan

Target’s delayed response made everything worse. A tested incident response plan ensures your team acts fast when it counts. The NIST Cybersecurity Framework provides a solid starting point for building one.

Conclusion

The Target data breach started with one vendor’s stolen credentials. Attackers used that access to compromise tens of millions of payment cards and customer records.

The key takeaways for your team:

• Limit vendor access and isolate it from critical systems
• Respond to alerts when your security tools flag activity
• Monitor for leaked credentials through dark web monitoring before attackers exploit them
• Test your incident response plan before you need it

Stolen credentials are still the most common way attackers get in. Find exposed credentials fast and reset them faster.

Detect leaked credentials before attackers use them. Book a demo to see how Breachsense monitors the dark web for your exposed data.