SQL Injection Leads to Heartland's 130 Million Credit Card Compromise

From the indictment of Albert Gonzales:

Beginning on or about December 26, 2007, Heartland was the victim of a
SQL Injection Attack on its corporate computer network that resulted
in malware being placed on its payment processing system and the
theft of more than approximately 130 million credit and debit card
numbers and corresponding Card Data.

The indictment continues and details how Gonzales was involved in multiple attacks against credit card process.

Beginning in or about August 2007, 7-Eleven was the victim of a SQL Injection
Attack that resulted in malware being placed on its network and
the theft of an undetermined number of credit and debit card
numbers and corresponding Card Data.

Don't forget about the Hannaford compromise, Gonzales was involved there too.

In or about early November 2007, a related company of Hannaford was
the victim of a SQL Injection Attack that resulted in the later
placement of malware on Hannaford’s network and the theft of
approximately 4.2 million credit and debit card numbers and
corresponding Card Data.

Two other companies are referenced in the indictment as victims of similar attacks. Their names are not available at the moment.

The basic attack went like this:

1. Go to the stores and identify the payment processing systems in use.
2. Scour the company's website for application layer vulnerabilities
3. Locate and exploit SQL injection vulnerabilities
4. Steal credit card data via SQL injection
5. Utilize compromised SQL server to access internal network. Install sniffers on server and any other compromised hosts.
6. Steal all unencrypted credit card data as it passed through the internal network payment processing.
7. Install backdoors to gain future access to networks as needed.

What are the glaring lessons that we can learn from this?

1. Application vulnerabilities can be very bad. It is not simply a matter of a defaced website, SQL injection was the launching pad for these attacks.
2. Sensitive data must not be transmitted without encryption. The argument of a secure internal network is flawed and demonstrates the inability for an organization to adequately understand the threats facing modern corporations.
3. The attackers are smart and will work hard to compromise your sensitive data. How confident are you in your application's security?

-Michael Coates