There was a news article on the BBC website today about a man arrested for stealing 130 million credit card numbers. He along with a couple of Russian co-conspirators (unnamed), broke into several organizations such as 7Eleven, Hannaford Brothers, Heartland Payment Systems, to name a few and stole credit card numbers with the intent of selling them on.
One bit of information that has come out, at least in the case of 7Eleven, is that he used a SQL Injection attack to access credit card data. SQL Injection is a form of attack that manipulates the queries to the databases that websites use to retrieve information. These attacks are usually launched through the web application, over http (or https). Network perimeter firewalls are configured to allow http and https traffic to pass through and will not stop attacks over these protocols. The attacks are usually successful if parameters are not validated properly or parameterized SQL statements are not used.
This demonstrates the effectiveness of web application attacks at compromising huge amounts of data. I cannot imagine why these companies were storing credit card data, presumably in the clear. PCI-DSS requires Primary Account Numbers (PAN), which the credit card number is, to be stored only after it is encrypted. This requirement ensures that if someone does obtain the data, they cannot do much with it since they would be in encrypted form.
These companies are not alone, though, in not following procedure when storing sensitive data. Very few of these companies will start to take steps until they get attacked and it will be a bit too late. Most companies store data that is not necessary and in multiple locations. They do not realize that they can do a lot to minimize exposure by just evaluating what they need to store and eliminating redundant and unnecessary data.
Link to the original BBC story:
US man ‘stole 130m card numbers’