Target — When the HVAC Vendor Was the Attack Surface

The Incident

In December 2013, Target Corporation disclosed that attackers had stolen approximately 40 million credit and debit card numbers and personal information for 70 million customers. The breach occurred during the peak holiday shopping season — from November 27 to December 15, 2013.

The Root Cause

The attack began with a phishing email sent to Fazio Mechanical Services — a refrigeration and HVAC contractor that did work for Target. The email delivered credential-stealing malware. Using Fazio's stolen VPN credentials, the attackers accessed Target's network.

Once inside, the attackers moved laterally from the HVAC vendor's network segment to Target's point-of-sale systems. This was possible because Target's network lacked adequate segmentation — the HVAC management system and the payment processing system were accessible from the same network. The attackers installed RAM-scraping malware on POS terminals that captured card data as it was processed.

Target's FireEye security system — installed just months earlier — detected the malware and generated alerts. The alerts were sent to Target's security operations center in Minneapolis and to a team in Bangalore. The Bangalore team notified Minneapolis. The alerts were not acted upon.

Why It Matters

Your HVAC vendor has access to your payment systems. A phishing email to a refrigeration company led to the theft of 40 million credit cards. The security system detected the breach and raised alerts — which were ignored. Target had every tool needed to prevent or stop this breach. The failure was not technical capability. It was organizational response.