Heartland Payment Systems: 130 Million Cards and a SQL Injection
A SQL injection attack against Heartland's corporate website gave attackers a foothold that led to sniffing software installed on the payment processing network — 130 million card numbers captured.
Background
Heartland Payment Systems was the fifth-largest payment processor in the US in 2008, handling over 100 million transactions per month. Like TJX, the breach was executed by the Albert Gonzalez crew.
The Attack
Attackers used SQL injection against Heartland's public website to gain initial access to internal systems. From there they conducted reconnaissance for months before installing a network sniffer on the payment processing segment — the most sensitive part of the infrastructure. The sniffer captured card data in transit between merchants and the Visa/MasterCard networks before it could be encrypted.
Response
Heartland discovered the breach in January 2009 after Visa and MasterCard alerted it to suspicious card activity patterns. The company immediately hired forensic investigators, decommissioned affected systems, and rebuilt the payment processing environment. CEO Robert Carr became a vocal advocate for end-to-end encryption.
Outcome
Over 130 million card records were compromised. Heartland paid more than $140 million in fines and settlements. Albert Gonzalez received a 20-year prison sentence. The breach triggered Heartland to pioneer end-to-end encryption (E2EE) technology for payment networks.
Key Takeaways
- SQL injection in any internet-facing system can be a pivot point to your most sensitive network
- Network segmentation between public-facing and payment processing systems is mandatory
- In-transit data must be encrypted even within internal networks
- Anomalous card fraud patterns at acquiring banks can be an early breach indicator