Back to all articles
SQL Injection
Heartland Payment Systems (2008)
Jun 03, 2026
Founded in 1997 and headquartered in Princeton, New Jersey, Heartland Payment Systems provides payment processing services to over 300,000 businesses across the U.S. Its services include e-commerce, point-of-sale (POS), and payroll processing, and the company has invested in security technology to protect customers' private information.
However, between 2008 and 2009, the company experienced one of the largest cyberattacks in the history of the payment industry. This breach affected millions of credit cards and resulted in financial losses totaling hundreds of millions of dollars. The attack was orchestrated by Albert Gonzalez, a Cuban computer criminal and hacker raised in the United States. He managed an online forum for selling stolen cards and utilized a combination of techniques—including SQL injection, "sniffer" malware, and social engineering—to steal sensitive information.
At the time, the lack of data encryption made information even more vulnerable, facilitating the theft. As a result, approximately 130 million cards were compromised, and the company was forced to pay about $145 million in settlements for suspicious charges, fines from Visa and American Express, and legal fees.
References
https://www.scribd.com/document/838891649/Heartland-report
https://www.researchgate.net/publication/346975125_Heartland_Data_Breach_Analysis
https://www.researchgate.net/publication/346975125_Heartland_Data_Breach_Analysis