Attackers targeted the major US retailer via a phishing campaign on one of its third-party vendors. The vendor downloaded a file containing a virus which was designed to collect all of the data entered within the system. From here the attackers were able to obtain the vendor's login credentials to the retailer's systems.
With these stolen credentials the attackers gained access to the retailer's system and were able to move about freely within the network unnoticed over a two week period. Whilst there they installed malware to attack the POS system enabling them to enter the system again and again to steal information about the 110 million people who shopped at the retailer in late December 2013.
Target's CEO resigned as a result of the breach and the associated financial costs reportedly exceeded USD$300 million.
In March 2022, U.S. District Court in St. Paul ruled that Target's general liability policy covered some of the data breach losses after nearly a decade of dispute between the company and their insurance company.
Want to discuss this case? You can purchase a 30 minute conference call with our analysts to discuss this case and the implications it has for your organisation. Just select the time and date that works for you:
We've done the analysis so you can make the decisions