In the largest data breach ever charged in the United States, a handful of criminals stole 130 million credit and debit card numbers and corresponding data from payment processor Heartland Payment Systems and retailers including 7-Eleven, Hannaford Brothers supermarket chain and others in 2007-2008.
The U.S. Department of Justice indicted those responsible and provided details on how it was done.
The #1 data security lesson for merchants, large or small, is to check the security of any database used with the company's Web sites. Investigators learned the hackers used weaknesses in database servers on these companies' Web applications to gain access to their networks. From this crack in the security wall, they installed "sniffer" programs to find and download cardholder payment account data.
Merchants should have a qualified security firm conduct a penetration audit to check the site and fortify systems against database Web site attacks, called "SQL injection." Some specialists estimate that as many as 30 percent of Web sites are vulnerable to these types of attacks. If changes are made to the site design, merchants should re-run the security audit.