40 Million Cards: The Target Data Breach
Target: 40 Million Cards
Black Friday, 2013. The parking lots of Target’s 1,800 stores were full.
Inside each store, Point of Sale terminals — the machines that accept credit and debit cards at checkout — were quietly doing something their operators would not discover for another month. Every time a customer swiped a card, in the milliseconds before the payment data was encrypted and passed downstream, a small piece of software was watching. Reading. Copying.
The data was being exfiltrated in nightly batches — first to staging servers inside Target’s own network, then onward to FTP servers in Eastern Europe. Forty million payment card numbers. Names. Expiration dates. Verification codes. The complete contents of the magnetic stripe. Everything needed to clone a physical card.
For eighteen days, some of the most sophisticated payment card criminals of their generation were operating inside the registers of America’s second-largest retailer — during the busiest shopping season of the year — while Target’s own security tools flagged the intrusion and the alerts went unreviewed.
Threat Actor Profile: Rescator
Handle: Rescator
Real Name (alleged): Andrei Hodirevski; Ukrainian national; alleged connections to organized cybercrime networks operating across Eastern Europe. Attribution is drawn from investigative journalism, blockchain analysis, and law enforcement findings from multiple jurisdictions. No confirmed US indictment against this specific individual at the time of writing.
Role: Operator of the carding market where Target’s stolen cards were sold in batches beginning December 2013. The “Rescator” identity was the public-facing brand for distributing compromised card data.
Status: No confirmed arrest.
Notorious Operations:
- Target (November–December 2013): 40 million payment card numbers stolen across 1,800 stores during the peak holiday shopping period. Cards sold in batches on dark web carding markets starting December 2013 under the “Rescator[.]cc” branding.
- Home Depot (2014): A near-identical attack — contractor supply chain compromise, POS malware, magnetic stripe data theft — yielded approximately 56 million payment cards from Home Depot registers. The BlackPOS malware code overlapped substantially with the Target tools. The same criminal ecosystem was assessed to be involved.
- Neiman Marcus (2013): Simultaneous to Target, a separate but related campaign struck Neiman Marcus during the same holiday season, yielding approximately 1.1 million payment card records.
The Vector: An HVAC Company in Pennsylvania
The architecture of the Target breach became a textbook case in supply chain vulnerability — not of software, but of institutional trust.
Fazio Mechanical Services was a small HVAC (heating, ventilation, and air conditioning) contractor based in Sharpsburg, Pennsylvania. The company had a legitimate business relationship with Target for facility management services — monitoring heating and refrigeration units at Target locations. To do this, Fazio had been granted access to a Target vendor web portal used for billing, project documentation, and contract management.
In late October or early November 2013, a Fazio employee received a phishing email containing a link to a download of Citadel — a banking trojan descended from the infamous Zeus malware family. Citadel harvested credentials stored on the infected machine. Among those credentials were the username and password for Fazio’s Target vendor portal.
Those credentials were passed to the attackers. Armed with them, they signed into Target’s vendor network.
They were not supposed to be able to reach payment systems from there. Target’s network architecture was intended to segment vendor access from internal operational systems. But the segmentation was insufficient: the vendor portal shared network infrastructure with portions of Target’s internal environment in ways that the company’s architecture team had not fully anticipated or enforced.
The attackers moved laterally. They found the payment processing environment.
BlackPOS: The Memory Scraper
The malware they deployed was a variant of BlackPOS — a RAM scraping tool available on underground forums for approximately $1,800–$2,000 from its alleged author, operating under the handle “ree4.”
RAM scraping exploits a narrow window in the payment card lifecycle. When a card is swiped at a POS terminal, the device briefly holds the unencrypted magnetic stripe data in memory as it processes the transaction — before that data is encrypted for transmission to the payment processor. This window is measured in milliseconds. But it exists, and it is accessible to software running on the same system.
BlackPOS ran on Windows-based POS terminals and continuously monitored system process memory for data matching the pattern of Track 2 data: the 37-digit string on a card’s magnetic stripe containing the card number, expiration date, and service code. When it found a match, it logged the data to a local file. The malware exfiltrated in batches — transferring data to internal staging servers on Target’s own network, then at intervals moving it onward to FTP servers in Eastern Europe via compromised relay nodes in the United States.
Target had recently deployed FireEye — an advanced security platform — across its network. FireEye detected BlackPOS and generated alerts, which were sent to Target’s security operations center in Bangalore, India.
The alerts were reviewed. The team decided not to escalate.
The full significance of this detail cannot be overstated: Target had already purchased, deployed, and configured security software that correctly identified the intrusion in progress. The system worked. The humans did not.
The Discovery: A Bank Notices the Pattern
The breach was not discovered by Target. It was discovered by American banks.
In mid-December 2013, fraud analysts at multiple financial institutions began noticing a pattern: a high concentration of fraudulent payment card transactions, across multiple customers, with a shared point of purchase — Target stores, during the November–December window. The pattern was forwarded to the United States Secret Service, which contacted Target.
Target’s internal investigation confirmed the breach on December 15, 2013. The company waited three days before announcing it publicly on December 18.
The public announcement triggered a financial industry firestorm. Card issuers began mass-reissuing credit and debit cards. The cost of reissuance alone — plastic, postage, customer service — ran to hundreds of millions of dollars across the banking industry.
The stolen cards had already been for sale on Rescator’s market for weeks.
The Damage
The financial and reputational consequences were among the most severe ever suffered by a US retailer:
- $18.5 million settlement with 47 state attorneys general — the largest data breach settlement of its kind at the time.
- $67 million settlement with Visa.
- $19 million settlement with MasterCard.
- Total net losses estimated at $162 million after insurance reimbursements.
- CEO Gregg Steinhafel resigned in May 2014 — one of the first instances of a corporate chief executive losing their position as a direct consequence of a cybersecurity failure. The precedent was noted across every boardroom in America.
- CIO Beth Jacob also resigned.
- Target subsequently hired its first Chief Information Security Officer (CISO) — a position that had not previously existed at the company.
The breach changed the conversation around payment card security in the United States in a way that industry lobbying had resisted for years. EMV chip card adoption — which renders magnetic stripe skimming attacks largely useless — accelerated dramatically in the years following Target, driven in part by the scale and visibility of the breach. The US moved from its laggard position on chip-and-PIN to broad deployment within two years of the Target disclosure.
The lesson was written in forty million card numbers: if the POS terminal holds unencrypted data, even briefly, that data can be taken.
Attack Chain: Target — BlackPOS RAM Scraper
graph TD
A["🎯 Attackers\n(Eastern European Cybercrime\nLinked to Rescator / Ukrainian Ecosystem)"] --> B["Reconnaissance\nIdentify Target Supply Chain\nMap Vendor Portal Access"]
B --> C["Phishing Email Sent to\nFazio Mechanical Services\n(HVAC Contractor — Sharpsburg, PA)\nNov 2013"]
C --> D["Citadel Banking Trojan\nDeployed on Fazio Employee Machine\n(Zeus-descended credential stealer)"]
D --> E["Fazio's Target Vendor Portal\nCredentials Harvested"]
E --> F["Sign Into Target\nVendor Web Portal\n(Legitimate Contractor Access)"]
F --> G["Lateral Movement\nInsufficient Network Segmentation\nVendor Network → Internal Network"]
G --> H["Reach Payment\nProcessing Environment\nTarget POS Network"]
H --> I["BlackPOS RAM Scraper\nDeployed on Windows POS Terminals\nAcross 1,800 Stores"]
I --> J["Continuous RAM Scan\nMonitor Process Memory\nfor Track 2 Data Pattern"]
J --> K{"Customer Swipes Card"}
K --> L["Unencrypted Magnetic Stripe Data\nBriefly in RAM\n(Pre-encryption window)"]
L --> M["BlackPOS Captures:\nCard Number + Expiry + CVV\nLogged to Local File"]
M --> K
M --> N["Batch Exfiltration\nData Staged on\nTarget Internal Servers"]
N --> O["External Exfiltration\nFTP to Eastern European Servers\nvia US Relay Nodes"]
I --> P["FireEye Alert Generated\n(November–December 2013)\nFlags BlackPOS Activity"]
P --> Q["Alert Reviewed by\nSOC Team — Bangalore\n🔴 Escalation Declined"]
O --> R["40 Million Card Records\nExfiltrated Nov 27–Dec 15"]
R --> S["Cards Listed on\nRescator[.]cc Market\nDecember 2013"]
S --> T["Banks Detect Fraud Pattern\nShared POP: Target Stores\nDec 2013"]
T --> U["US Secret Service\nNotifies Target\nDec 15, 2013"]
U --> V["Target Public Disclosure\nDecember 18, 2013"]
V --> W["Card Issuers: Mass Reissuance\nHundreds of Millions in Industry Costs"]
V --> X["Target Consequences:\n$162M Net Loss\nCEO + CIO Resign\nFirst CISO Hired"]
V --> Y["AG Settlement: $18.5M\n(Largest Data Breach\nSettlement at the Time)"]
V --> Z["US EMV Chip Card\nAdoption Accelerates\n2015–2016"]