The Heartland Hack

Heartland Payment Systems is a payment processor that runs millions of transactions for retail stores and  restaurants and processes credit card payment for more than 250,000 businesses.

Albert Gonzalez may have used TJX Companies as a testing ground to see the simplicity of corporate retail companies before jumping in towards Heartland. Yes!! it was Albert Gonzalez again with his deeds, that turned out to be one of the highest breaches of all time involving about 130 Million records.

Albert named the Heartland hack as the “Operation Get Rich or Die Tryin”. He now had an international team – from NJ, IL, the Netherlands, Lavita and Ukraine. He used similar attacks as of TJX like SQL injections to install back-door malware. VPN tunnel was established for internal server to communicate to external server to transmit credit card data.

 In 2008 (Dec 2007), he used the same tactics, this time with different compatriots, to once again find and attack vulnerable servers to jumpbox into more secure servers. Attacks actually started with Citibank ATMs, Hannaford Stores and then in Dec 2007 on Heartland systems.

He tested his malware against the best and common antiviruses and tried his best to cover all his tracks; like using proxies etc. Once he was satisfied with his initial testing, he planted malware and sniffing software to start stealing data. Albert stole over 100 million credit card numbers in his scheme, adding onto his already large amount of numbers from the TJX escapade. His online fraud case was now the largest online fraud case in the world, with an incredible amount of information stolen from extremely large companies. Heartland Payment Systems didn’t discover their loss until after Albert was arrested for a separate crime and admitted to being involved in hacking TJX Companies and Heartland Payment Systems.

During a penetration test SQL injection was discovered and it was mitigated; but Sniffer was not detected. The interesting point here is that while the hack was going on Heartland passed its PCI audit!

Moral:- A PCI audit should not make you feel secure.


Capture of Albert

Albert was finally caught for making a simple mistake. It wasn’t a company wide investigation nor a security alert that brought this house of cards down, it was Albert and his crew making too many frequent stops to a Dave and Buster’s restaurant. Albert and his team had hacked into a point of sale system at one of the restaurants, which gathered a few thousand credit card numbers. The only problem with the hack was that it had to be restarted after the system was shut down.

His constant visits of one restaurant and suspicious activity, finally lead to his arrest by authorities. Multiple police raids seized over a million dollars in cash, a condominium in Miami, a BMW, a firearm and of course Albert’s laptops.

On March 25, 2010, Albert Gonzalez was sentenced to 20 years in prison for his role in the hacking of TJX and Heartland Payment Systems, and also fined $25,000.