Museum Wire
Law 0 · Katie's LawEvery system is shaped by the human drive to do less work. This is not a flaw. It is the economic force that produces all software — and all software failure.Law I · Boundary CollapseWhen data crosses into a system that interprets structure, without being constrained, it becomes executable.2026 IncidentAxios. 70 Million Downloads a Week. North Korea Inside.Law II · Ambient AuthorityWhen a system trusts the presence of a credential instead of verifying the intent behind it, authentication becomes indistinguishable from authorization.AXM-001Set Theory — Membership, Boundaries, and BelongingLaw III · Transitive TrustWhen a system inherits trust from a source it did not verify, the attack surface extends to everything that source touches.2026 IncidentClaude Code — The Accept-Data-Loss FlagLaw IV · Complexity AccretionSystems do not become complex. They accumulate complexity — one reasonable decision at a time — until no single person can hold the whole in their head.Law V · Temporal CouplingCode that assumes sequential execution, stable state, or consistent timing will fail the moment concurrency, scale, or latency proves the assumption wrong.2026 IncidentCopy Fail — 732 Bytes to Root on Every Linux DistributionAXM-002Boolean & Propositional Logic — True, False, and the Excluded MiddleLaw VI · Observer InterferenceWhen the system that monitors health becomes a participant in the system it monitors, observation becomes a failure vector.2025Amazon Kiro — The 13-Hour Outage2025Operation Chrysalis: The Notepad++ Supply Chain Hijack2025Replit Agent — The Vibe Code Wipe2025Shai-Hulud — The npm Worm That Ate Its Own Ecosystem2024Air Canada Chatbot — The Policy That Wasn't2024Change Healthcare — One-Third of US Healthcare, One Missing MFA2024CrowdStrike — The Security Update That Broke the World2024Google Gemini Image Generation — The Six-Day Pause2024XZ Utils — The Two-Year Infiltration20233CX — The Supply Chain That Ate Another Supply Chain2023Amazon Prime Video — The Per-Frame State Machine2023Bing Sydney — The Chatbot That Went Rogue2023Samsung ChatGPT Leak — The Employee Who Pasted the SecretEFFODE · LEGE · INTELLEGELaw 0 · Katie's LawEvery system is shaped by the human drive to do less work. This is not a flaw. It is the economic force that produces all software — and all software failure.Law I · Boundary CollapseWhen data crosses into a system that interprets structure, without being constrained, it becomes executable.2026 IncidentAxios. 70 Million Downloads a Week. North Korea Inside.Law II · Ambient AuthorityWhen a system trusts the presence of a credential instead of verifying the intent behind it, authentication becomes indistinguishable from authorization.AXM-001Set Theory — Membership, Boundaries, and BelongingLaw III · Transitive TrustWhen a system inherits trust from a source it did not verify, the attack surface extends to everything that source touches.2026 IncidentClaude Code — The Accept-Data-Loss FlagLaw IV · Complexity AccretionSystems do not become complex. They accumulate complexity — one reasonable decision at a time — until no single person can hold the whole in their head.Law V · Temporal CouplingCode that assumes sequential execution, stable state, or consistent timing will fail the moment concurrency, scale, or latency proves the assumption wrong.2026 IncidentCopy Fail — 732 Bytes to Root on Every Linux DistributionAXM-002Boolean & Propositional Logic — True, False, and the Excluded MiddleLaw VI · Observer InterferenceWhen the system that monitors health becomes a participant in the system it monitors, observation becomes a failure vector.2025Amazon Kiro — The 13-Hour Outage2025Operation Chrysalis: The Notepad++ Supply Chain Hijack2025Replit Agent — The Vibe Code Wipe2025Shai-Hulud — The npm Worm That Ate Its Own Ecosystem2024Air Canada Chatbot — The Policy That Wasn't2024Change Healthcare — One-Third of US Healthcare, One Missing MFA2024CrowdStrike — The Security Update That Broke the World2024Google Gemini Image Generation — The Six-Day Pause2024XZ Utils — The Two-Year Infiltration20233CX — The Supply Chain That Ate Another Supply Chain2023Amazon Prime Video — The Per-Frame State Machine2023Bing Sydney — The Chatbot That Went Rogue2023Samsung ChatGPT Leak — The Employee Who Pasted the SecretEFFODE · LEGE · INTELLEGE
Keyboard Navigation
W
A
S
D
or arrow keys · M for map · Q to exit
← Back to Incident Room
2013breachCorporation

Target — When the HVAC Vendor Was the Attack Surface

Attackers stole 40 million credit card numbers and 70 million customer records after gaining access through an HVAC vendor's network credentials. Target's FireEye security system detected the malware but alerts were ignored.

2 min read
Root Cause

Attackers compromised Fazio Mechanical Services (HVAC vendor) via phishing email. Fazio's VPN credentials provided access to Target's network. Insufficient segmentation allowed lateral movement from the HVAC management system to point-of-sale payment systems.

Aftermath

CEO and CIO both resigned. $292 million in total costs. The breach became the canonical example of third-party vendor risk and drove industry-wide adoption of network segmentation and vendor access management.

The Incident

In December 2013, Target Corporation disclosed that attackers had stolen approximately 40 million credit and debit card numbers and personal information for 70 million customers. The breach occurred during the peak holiday shopping season — from November 27 to December 15, 2013.

The Root Cause

The attack began with a phishing email sent to Fazio Mechanical Services — a refrigeration and HVAC contractor that did work for Target. The email delivered credential-stealing malware. Using Fazio's stolen VPN credentials, the attackers accessed Target's network.

Once inside, the attackers moved laterally from the HVAC vendor's network segment to Target's point-of-sale systems. This was possible because Target's network lacked adequate segmentation — the HVAC management system and the payment processing system were accessible from the same network. The attackers installed RAM-scraping malware on POS terminals that captured card data as it was processed.

Target's FireEye security system — installed just months earlier — detected the malware and generated alerts. The alerts were sent to Target's security operations center in Minneapolis and to a team in Bangalore. The Bangalore team notified Minneapolis. The alerts were not acted upon.

Why It Matters

Your HVAC vendor has access to your payment systems. A phishing email to a refrigeration company led to the theft of 40 million credit cards. The security system detected the breach and raised alerts — which were ignored. Target had every tool needed to prevent or stop this breach. The failure was not technical capability. It was organizational response.

Techniques
third party compromisenetwork segmentation failureignored alerts