Target 2013
Forty million credit cards walked out of Target's checkout lanes through a network connection meant for the heating contractor.
The journalist Brian Krebs broke the story in mid-December 2013, before Target itself had publicly acknowledged anything. Within a week, Target was confirming that roughly forty million payment cards had been compromised at point-of-sale terminals across its US stores during the peak of the holiday shopping season.
A path that started in HVAC
The point of entry was not a Target system at all. It was Fazio Mechanical, a small Pennsylvania-based heating, ventilation, and air-conditioning contractor with access to Target's vendor portal for billing and project tracking. Attackers compromised Fazio first — apparently through a generic phishing email laced with the Citadel banking trojan — then used the resulting credentials to pivot into Target's network.
Once inside, they installed memory-scraping malware on the point-of-sale terminals. Every time a card was swiped, the malware harvested the unencrypted track data from RAM before the payment processor encrypted it for transmission. The captured data flowed to a staging server inside Target's own network, then out to drop sites in Eastern Europe.
A new role inside the C-suite
Target's CEO and CIO both resigned in the months that followed. Card networks accelerated the long-stalled rollout of chip cards in the United States. Retailers across the country discovered the term "vendor risk management" and began asking their third-party contractors uncomfortable questions about network segmentation.
What the chronicle remembers
Target was the breach that made the supply-chain attack a board-level concept in retail. The HVAC vendor became the canonical example, retold in awareness training for years afterward, of how an unrelated small business can become the soft entry point into a Fortune 50.