Other
β Supply Chain
US Senate Commerce Committee / BreachSense / Huntress
Primary Source βIncident Details
Attackers phished Fazio Mechanical (HVAC vendor) to steal Target network credentials in Nov 2013. Moved laterally from vendor-accessible HVAC network segment to POS environment due to lack of network segmentation. Installed BlackPOS RAM-scraper on 1,797 store checkout terminals. Scraped payment card data from memory during transaction window. Exfiltrated ~40M credit/debit card numbers + 70M PII records to Russian FTP servers. FireEye alerts ignored. Breach detected by external payment processor. $18.5M settlement.
Technical Details
- Initial Attack Vector
- CWE-1104: Use of Unmaintained Third-Party Components (phishing of HVAC vendor Fazio Mechanical for network credentials, then lateral movement to POS environment)
- Vendor / Product
- Target Corporation POS systems
- Malware Family
- BlackPOS / Kaptoxa
- Supply Chain Attack
- β Confirmed third-party / vendor compromise
Timeline
- 2013-11-15 Breach occurred
- 2013-12-18 Publicly disclosed
- 2013-12-19 Customers notified