In the weeks before Thanksgiving 2013 hackers were able to compromise Target’s point of service payments system with malware. The attackers initially gained access to Target’s network using credentials obtained from heating, ventilation, and air-conditioning subcontractor Fazio Mechanical Services via a phishing email that included the Citadel Trojan.

Before the Trojan was found and eradicated, more than 40 million individual credit card numbers and 70 million names and addresses were harvested from Target’s 1797 stores in the USA. At this writing in 2015, Target has spent upwards of $61 million responding to the attack. (And this does not include lost holiday sales due to customer distrust. Target’s 2013 holiday sales dropped 48% from the year prior.)

The scope of the Target attack is striking and underscores two very important points that businesses of any size need to consider.

One, you are only as strong as the weakest link that has access to your systems.

Two, 2-factor authentication offers no protection against social engineering attacks.

Target serves as a good lesson that companies need to require better security from third-party contractors and also that they should limit the network access more broadly.