Chris Nadeau

2013 Target Cyber Incident 

In late 2013, Target Corporation, one of the United States’ largest retailers, experienced a significant cyberattack that compromised sensitive data of approximately 110 million customers. The breach occurred between November 27 and December 18, during the peak holiday shopping season. Attackers exploited a vulnerability via a third-party vendor, Fazio Mechanical Services, gaining access to Target’s network and deploying malware on point-of-sale (POS) systems. This allowed the attackers to steal financial information, including credit and debit card details, as well as personal customer data (Commerce Senate Report).

Target publicly acknowledged the breach on December 19, 2013, confirming earlier reports of unauthorized access. In collaboration with federal agencies such as the U.S. Secret Service and private cybersecurity experts, the company identified malware installed on POS terminals as the primary method used to exfiltrate data to a server in Eastern Europe. Despite extensive investigations, Target provided limited technical details about the attack, consistent with the approach taken by many organizations facing similar incidents (Commerce Senate Report).

Immediate and Long-Term Financial Impacts

Total Financial Impact: $739.5M

Legal Settlements and Regulatory Penalties

  • Visa Settlement (2015): $67 million
  • Multistate Attorneys General Settlement (2017): $18.5 million
  • Consumer Class-Action Settlement (2015): $10 million
  • Financial Institutions Class-Action Settlement (2015): $39 million
  • MasterCard Settlement: $19 million
  • Various Banks and Credit Unions: $20 million
  • Subtotal for Settlements and Penalties: $173.5 million (Source: Commerce Senate Report)

Costs Related to Security Enhancements and Investigations

  • Fiscal Year 2013: $61 million (gross)
  • Fiscal Year 2014: $191 million (gross)
  • Fiscal Year 2015: $4 million (net of insurance)
  • Total Gross Expenses through 2015: $256 million
  • Insurance Reimbursements: $90 million
  • Net Security and Investigation Costs: $166 million (Source: Target 2015 10-K)

Business Losses

  • Weaker Than Expected Q4 2013 Sales: Estimated 2-3% revenue loss (~$400 million) in lost sales based on $21 billion in Q4 revenue.
  • Stock Value Decline: Indirect but notable, with an $8 per share loss (~$5 billion in market cap decline); this isn’t typically included in direct breach costs.
  • Total Estimated Revenue Loss: ~$400 million (Source: TheDeepHub Case Study)

Total Estimated Costs

  • Direct Costs (Settlements, Security, Investigations): $339.5 million
  • Indirect Costs (Revenue Loss): $400 million
  • Grand Total (Direct + Indirect Costs): $739.5 million (Source: Target 2015 10-K)

Legal and Compliance Fallout

  • Federal Investigations: DOJ and FTC conducted investigations into the breach to assess Target’s data security practices and compliance with federal regulations.
  • State-Level Inquiries: Multiple state attorneys general initiated investigations into the breach’s impact on consumers within their jurisdictions, resulting in $18.5 million in settlements.(Source: Nevada Attorney General)
  • Congressional Hearings: Target executives testified before congressional committees to provide insights into the breach, its causes, and the company’s response measures (Source: Commerce Senate Report).

Target’s 2015 10-K statement reflected the ongoing legal and regulatory burdens following the attack:

“The Data Breach we experienced was significant, went undetected for several weeks, and involved the theft of certain payment card and guest information through unauthorized access to our network. We experienced weaker than expected sales immediately following the announcement of the Data Breach, and we are currently facing litigation seeking damages or other related relief allegedly arising out of the Data Breach. In addition, state and federal agencies, including State Attorneys General, the Federal Trade Commission, and the SEC, are investigating events related to the Data Breach, including how it occurred, its consequences, and our responses. […] The governmental agencies investigating the Data Breach may seek to impose fines and/or other monetary relief and/or injunctive relief that could materially increase our data security costs, adversely impact how we operate our network and collect and use guest information, and put us at a competitive disadvantage with other retailers.” (Source: Target 2015 10-K)

Lockheed Martin Cyber Kill Chain Analysis

The Target data breach followed the Lockheed Martin Cyber Kill Chain in the following stages:

  1. Reconnaissance – Attackers targeted Fazio Mechanical Services, a third-party HVAC vendor, using phishing emails to gain credentials.
  2. Weaponization – Stolen credentials allowed attackers to access Target’s internal network via the vendor’s remote access portal.
  3. Delivery – Malware was deployed onto Target’s POS systems through the compromised network.
  4. Exploitation – Attackers leveraged privileges within the network to move laterally and install additional malware.
  5. Installation – POS malware extracted and collected credit card data from in-store transactions.
  6. Command and Control (C2) – Data was exfiltrated to external servers in Eastern Europe, enabling attackers to maintain access.
  7. Actions on Objectives – Stolen payment data was sold on the dark web, leading to widespread fraudulent transactions (TheDeepHub Case Study).

Conclusion

The 2013 Target data breach remains one of the most costly and impactful cyber incidents in retail history. The total estimated financial impact of $696.5 million showcases the real cost of cybersecurity failures—not just in direct expenses, but in lost revenue, legal repercussions, and brand damage. This breach underscores the risks associated with third-party vendors, the importance of network segmentation, and the need for proactive cybersecurity measures.