The hackers responsible for the 2013 Target data breach that exposed payment information on 40 million customers had nothing to stop them from accessing every cash register in every Target store, an investigation into the breach has shown. Details from the confidential investigation, conducted by Verizon and obtained by cybersecurity journalist Brian Krebs, also seem to indicate hackers infiltrated Target’s systems by first accessing an air conditioning company that worked with the retail chain.

Target commissioned the investigation, which ran from Dec. 21, 2013, to March 1, 2014, “in anticipation of litigation” from banks and credit card companies that are expected to sue Target for the cost of sending out new cards to the millions of customers impacted by the breach. Remarkably, Krebs reported, Target had “no controls limiting their access to any system, including devices within stores such as point-of-sale [POS] registers and servers.”

Target admitted in January 2014 that hackers used malicious software, later traced to Russia, to break into its networks and access credit and debit card information directly from Target’s checkout lanes through the holiday shopping season. News of the breach diminished holiday sales, the company said, and Target eventually fired its CEO in the breach's wake.

Verizon investigators determined they could easily jump from the scale that operated a deli to a register in the same store. They could have used similar methodology to deploy malware against registers at each of the 1,800 Target stores in the U.S.

They also determined the hackers entered Target’s networks by obtaining credentials from technicians at Fazio Mechanical, a small heating and air conditioning company that worked with Target. Fazio Mechanical was previously hacked with malware that was delivered by email.