130 Million Cards: The Heartland Breach
Heartland: 130 Million Cards
January 12, 2009. A routine Monday morning at Heartland Payment Systems’ headquarters in Princeton, New Jersey. The company processes credit and debit card payments for roughly 250,000 businesses across the United States at more than 100 million transactions per month — the sixth-largest payment processor in the country.
The day before, Visa and MasterCard had quietly contacted Heartland’s security team. They had been tracking fraudulent card activity: hundreds of compromised cards, stolen from dozens of different issuing banks, all sharing a single commonality — they had been used at Heartland-processed merchants.
Heartland hired Gartner Group security consultants and launched an investigation. Within 48 hours, they found what every payments executive had nightmared about for years.
Malicious software had been running inside Heartland’s payment processing environment for months. A RAM scraper. A quiet, patient piece of code watching the river of card data flowing through Heartland’s servers and siphoning off copies — card numbers, expiration dates, cardholder names — sending them in encrypted streams to servers in Eastern Europe.
Approximately 130 million credit and debit card numbers had been compromised — the largest payment card breach in recorded history. And at the center of it was a man named Albert Gonzalez, who, while orchestrating the most audacious payment card theft in history, was simultaneously on the payroll of the United States Secret Service as a confidential informant.
Threat Actor Profile: Albert Gonzalez (Soupnazi)
Designation: soupnazi; aliases jilsi and segvec
Attribution: Independent criminal enterprise; US-based; recruited Eastern European technical specialists
Origin: Miami, Florida; Cuban-American; operating 2000–2008
Primary Mission: Large-scale financial fraud through payment card theft and underground market sales
Known Tradecraft: SQL injection, network reconnaissance, RAM scraping, memory-resident sniffers on payment processing systems, encrypted exfiltration, exploitation of FBI informant status for operational cover
Notorious Operations:
- TJX Companies (2005–2007): ~45 million card records — the largest retail payment breach ever at the time. Accessed via wardriving unsecured Wi-Fi at TJX stores, then pivoted to central payment systems.
- BJ’s Wholesale Club (2004): ~1 million cards; first major operation establishing his methodology.
- 7-Eleven ATM Network (2007): Simultaneous breach of the convenience store chain’s ATM infrastructure; stolen data used for fraudulent cash withdrawals.
- Heartland Payment Systems (2007–2008): 130 million card numbers. SQL injection → sniffer deployment → RAM scraping → encrypted exfiltration. All while paid by the Secret Service.
Status: Arrested August 2008; sentenced to 20 years in federal prison — the longest computer crime sentence in US history at the time.
The Double Agent: Gonzalez and the FBI
Gonzalez grew up in Miami, the son of Cuban immigrants. By his early twenties he was one of the most prominent figures in the underground carding ecosystem, running Shadowcrew.com — one of the largest online carding forums, with tens of thousands of members trading stolen payment cards and forged documents.
In 2003, the Secret Service came for him. Faced with federal charges, Gonzalez made a deal. He became a confidential informant for the United States Secret Service’s Electronic Crimes Task Force, providing insider access critical to Operation Firewall — the government’s takedown of Shadowcrew. In October 2004, 28 arrests across multiple countries.
Gonzalez walked away not just free, but on the government payroll — approximately $75,000 annually from the Secret Service, helping federal agents navigate the underground world of cybercrime. But he had not stopped. While cooperating with the Secret Service, he was running a parallel operation: breaching retail networks, stealing payment card data, selling it through carefully insulated channels. The TJX breach — 45 million cards — was executed in 2005–2007, precisely when Gonzalez was at the height of his value to federal law enforcement. When investigators eventually searched his Miami apartment, they found $1.65 million in cash, much of it buried in his backyard in a tin container.
Heartland was the operation that finally broke him.
The Infrastructure: How RAM Scraping Worked
To understand what Gonzalez’s team stole, you need to understand the payment processing architecture of 2007–2008. When a customer swipes a card at a Heartland-processed merchant, the card’s Track 2 data is read by the POS terminal, encrypted, and transmitted to Heartland’s servers. Heartland receives the transaction, routes it through Visa or MasterCard to the issuing bank for authorization, and the merchant’s terminal receives the response.
The critical vulnerability was at the processing step: when Heartland’s servers handled the incoming transaction data, card information had to be decrypted from the terminal encryption and handled in memory before it could be re-encrypted for the card networks. For a brief moment — milliseconds — the raw, unencrypted card data existed in the live memory of Heartland’s processing servers.
If you could run software that continuously scanned system memory for patterns matching payment card data, you could capture it at the precise instant it existed in the clear. This is RAM scraping — exactly what Gonzalez’s malware did.
The Attack: SQL Injection, Sniffer, and the River of Cards
Phase One: SQL Injection. Gonzalez’s team identified an SQL injection vulnerability in one of Heartland’s web-facing applications — improperly sanitized user input that could be manipulated to execute commands on the underlying system. This gave them initial command execution within Heartland’s web-facing infrastructure.
Phase Two: Lateral Movement and Sniffer Installation. From that foothold, attackers moved laterally. Heartland’s internal network did not adequately segment web-facing systems from the payment processing environment — a failure of network design that proved catastrophic. Once inside the payment servers, they deployed a custom memory-resident sniffer: a Windows service that monitored process memory of payment applications, continuously scanning for Track 2 card data. When found, data was logged to an encrypted local file. The sniffer was engineered for invisibility — a low-profile service, minimal network traffic, no interference with transaction processing. It ran undisturbed for months. Every transaction at every Heartland-processed merchant generated a stolen copy.
Phase Three: Exfiltration. At intervals, accumulated card data was bundled and sent through encrypted tunnels to infrastructure in Eastern Europe. Maksym Yastremskiy (“Maksik”), a Ukrainian national, was one of the principal data receivers — previously arrested in Turkey in 2007 with 40 million stolen card records.
The Discovery and Investigation
Heartland did not discover the breach through their own monitoring. They were told. In January 2009, Visa and MasterCard’s fraud detection systems identified a pattern: compromised cards across hundreds of issuing banks, all sharing a common point of purchase — Heartland-processed merchants. The card networks notified Heartland, and within days investigators found the sniffer and the exfiltration infrastructure.
On January 20, 2009, Heartland disclosed the breach publicly — one of the first major corporate disclosures to comply with emerging state data breach notification laws. The consequences were immediate: stock price collapsed; card networks suspended Heartland’s PCI DSS compliance designation; banks across the country began the laborious process of reviewing 130 million accounts and reissuing compromised cards. Industry estimates put card reissuance costs alone at over $200 million — costs falling primarily on issuing banks, not Heartland.
The path to Gonzalez ran through his Russian co-conspirators. In August 2008 — before the breach was even publicly disclosed — investigators building a case around TJX pointed toward Gonzalez. He was arrested in Miami and already in custody when Heartland discovered the breach; Heartland was added to his charges post-disclosure. The Secret Service — whose informant had been running one of the largest card theft operations in history while in their employ — faced an institutional reckoning that led to significant changes in informant management.
Gonzalez pleaded guilty in 2009 and 2010. In March 2010, Judge Douglas Woodlock sentenced him to two concurrent 20-year terms — the longest computer crime sentence in US history at the time. He was 28. The $1.65 million found buried in his backyard was forfeited.
Legacy: P2PE, EMV, and the Transformation of Payment Security
The Heartland breach did not just produce criminal prosecutions. It transformed the payment card industry.
Heartland CEO Robert Carr became a vocal advocate for point-to-point encryption (P2PE) — architectures in which card data remains encrypted from the POS terminal through every stage of transmission and processing, never existing as plaintext in intermediate processor memory. The fundamental vulnerability Gonzalez had exploited would be eliminated under a true P2PE architecture: nothing to scrape. Heartland launched its own P2PE product in 2009; the PCI Security Standards Council incorporated P2PE requirements into its standards framework in subsequent years.
The breach also accelerated US adoption of EMV chip card technology. EMV chips generate a unique cryptogram per transaction rather than transmitting static Track 2 data — making them dramatically harder to clone from stolen card numbers. The 130 million numbers stolen from Heartland could produce cloned magnetic stripe cards that would fail at chip-enabled terminals. Following Heartland, Target, and related retail breaches, card networks established liability shift deadlines pushing US merchants to upgrade. By 2016, the majority of US card transactions ran through EMV chip systems.
The deeper lesson: trust without verification inside network perimeters is catastrophic. Heartland had invested in perimeter defenses, but once Gonzalez’s team was inside, they moved laterally without resistance. Network segmentation — carving the most sensitive systems into protected zones inaccessible from less-trusted network areas — became a regulatory requirement for payment environments in the years following.
One hundred and thirty million cards. Two concurrent 20-year sentences. A tin of buried cash in a Miami backyard. The most valuable informant the Secret Service ever had.
Attack Chain: Heartland Payment Systems — RAM Scraper
graph TD
A["🦹 Albert Gonzalez\n'soupnazi'\nMiami, FL\nSimultaneous: FBI Informant\n+ Criminal Operator"] --> B["Target Selection\nHeartland Payment Systems\nPrinceton, NJ\n100M+ transactions/month\n250,000 merchants"]
B --> C["Reconnaissance\nMap Heartland's\nWeb-Facing Attack Surface\nIdentify Vulnerable Applications"]
C --> D["SQL Injection Attack\nWeb Application Vulnerability\nInitial Code Execution\non Heartland Web Server"]
D --> E["Lateral Movement\nInsufficient Network Segmentation\nWeb Server → Internal Network\n→ Payment Processing Environment"]
E --> F["Custom Memory-Resident Sniffer\nDeployed as Windows Service\non Payment Processing Servers\nPrinceton Data Center\n~Mid-2007/2008"]
F --> G["Continuous RAM Scanning\nMonitor Process Memory of\nPayment Processing Application"]
G --> H{"Merchant Card Transaction"}
H --> I["Card Swiped at POS Terminal\nTrack 2 Data Read"]
I --> J["Data Encrypted at Terminal\nTransmitted to Heartland Servers"]
J --> K["Heartland Server Decrypts\nfor Processing/Routing\n→ BRIEF PLAINTEXT IN MEMORY"]
K --> L["Sniffer Captures\nUnencrypted Track 2 Data:\nCard # + Expiry + Service Code"]
L --> M["Logged to Encrypted\nLocal File on Server"]
M --> H
M --> N["Periodic Batch Exfiltration\nEncrypted Tunnel\nHeartland Network →\nEastern European C2 Servers"]
N --> O["Maksym Yastremskiy\n'Maksik' + Co-Conspirators\nUkraine/Russia\nReceive Stolen Card Data"]
O --> P["Underground Carding Markets\nCards Listed for Sale\nBulk Card Data Packages"]
F --> Q["Months of Undetected\nOperation — 2008\n~130 Million Cards\nAccumulating"]
Q --> R["January 2009:\nVisa + MasterCard\nFraud Analytics Detect Pattern\nShared POP: Heartland Merchants"]
R --> S["Visa/MasterCard Notify Heartland\nJanuary 12, 2009"]
S --> T["Heartland Hires Gartner\nInternal Investigation Launched"]
T --> U["Sniffer Discovered\nExfiltration Infrastructure Found\nEvidence of Months-Long Breach"]
U --> V["January 20, 2009:\nHeartland Public Disclosure\n(State Breach Notification Laws)"]
V --> V1["Stock Price Collapses"]
V --> V2["PCI DSS Compliance\nDesignation Suspended\nBy Card Networks"]
V --> V3["130M+ Card Reissuance\nBanks Bear $200M+ Cost"]
A --> W["Parallel Investigation:\nAugust 2008:\nGonzalez Arrested in Miami\n(Prior TJX Charges)\nHeartland Added to Charges\nPost-Disclosure"]
W --> X["Plea Agreements:\n2009 + 2010\nFull Scope of Criminal Activity"]
X --> Y["March 2010 Sentencing:\nJudge Douglas Woodlock\n20 Years + 20 Years Concurrent\nLongest Computer Crime Sentence\n(US History at the Time)\n$1.65M Cash Forfeited"]
V --> Z1["Heartland CEO Robert Carr\nBecomes P2PE Advocate\nHeartland Launches Own\nP2PE Product 2009"]
V --> Z2["PCI SSC Incorporates\nP2PE into Standards\nFramework"]
V --> Z3["US EMV Chip Card\nAdoption Accelerates\n2012–2016 Liability Shifts"]
V --> Z4["Network Segmentation\nMandated for\nPayment Environments\nPCI DSS Revision"]