Case Studies: Historical Grid
Target Data Breach (2013)
An HVAC Vendor's Stolen Credentials and 40 Million Payment Cards: The Breach That Defined Third-Party Risk
In November 2013, attackers used stolen credentials from Target's HVAC vendor Fazio Mechanical to access the supplier portal and move laterally to POS systems across 1,800 stores. BlackPOS RAM-scraping malware harvested 40 million payment card records in-transit before encryption. Target's own security systems generated alerts that went uninvestigated — the breach was ultimately surfaced by DOJ investigators. The case defined third-party vendor access as retail's primary attack vector.
Equifax Data Breach (2017)
A 76-Day Dwell, an Expired SSL Certificate, and 148 Million Americans' Data Silently Exfiltrated
In May 2017, attackers exploited an unpatched Apache Struts vulnerability (CVE-2017-5638) in Equifax's online dispute portal — a patch had been available for two months. The attackers spent 76 days inside the network executing 51 unmonitored database queries, exfiltrating 148 million Americans' SSNs, birth dates, and financial records. An expired internal SSL certificate had blinded the security inspection system to outbound traffic for 19 months prior to discovery.
RSA SecurID Breach (2011)
The Hack That Broke Two-Factor Auth: Nation-State Actors Extract RSA's Entire SecurID Seed Database
In March 2011, RSA Security was breached via a spear-phishing Excel attachment exploiting an Adobe Flash zero-day. Attackers deployed Poison Ivy RAT, staged exfiltrated data as encrypted RAR archives, and used FTP for exfiltration — all traffic engineered to blend with legitimate patterns. The stolen asset was the seed database for 40 million SecurID tokens deployed at US government agencies and defense contractors, effectively undermining the enterprise 2FA ecosystem at scale.
SHAMOON / Disttrack (2012)
35,000 Saudi Aramco Workstations Wiped in Hours — The Wiper Attack That Redefined Destructive Malware
In August 2012, the SHAMOON wiper simultaneously destroyed the MBR and user files of 35,000 Saudi Aramco workstations across a single weekend, forcing the world's largest oil company to replace its entire PC fleet. Unlike ransomware, the payload carried no ransom demand — its sole purpose was destruction. Forensic recovery was possible only through Active Directory audit logs, offline backup tapes, and partial disk images from machines where payload execution failed mid-run.
— Page 2 —