When news of the Heartland Payment Systems compromise first broke, it seemed likely that SQL injection or some other Web-delivered mechanism was at play. According to court documents obtained by Wired News, the entry was indeed via SQL injection. Among those charged in the intrusion was Albert Gonzalez, former carder and Shadowcrew administrator turned Secret Service informant, who was already awaiting trial for intrusion and credit card theft at TJ Maxx and the Dave & Busters restaurant chain.

Wired News also reported that the transactions were stolen via a custom data theft trojan that sniffed network traffic in realtime and intercepted the transactions as they were being processed. That malware was written by a (now former) Morgan Stanley employee. Though the developer claims to have never received payment for writing the attack tool, it does appear he was quite well aware of its intended use and the results of that use.

Three themes emerge that this blog has hammered on repeatedly in the past:

1. The Web is under attack and SQL injection is one of the most common attack tools;
2. Today's data theft trojans almost always include traffic sniffing and other forms of MitM attacks;
3. Programmers that provide criminals with attack tools - whether deliberately or as part of "research" - pose considerable harm to us all.

Combined, the Heartland and Hannaford compromises resulted in the "theft of more than approximately 130 million credit and debit card numbers and corresponding Card Data."