Heartland Payment Systems card breach

On 20 January 2009, the New Jersey payment processor Heartland Payment Systems disclosed that criminals had breached the systems it used to process card transactions for some 175,000 merchants. The exposure — estimated at up to 130 million card numbers — made it, at the time, the largest payment-card breach ever publicly disclosed, surpassing even the TJX intrusion by the same crew.

What happened

The attack began with a familiar weakness: a SQL-injection vulnerability in a Heartland corporate web application, exploited as early as 2007. SQL injection lets an attacker smuggle database commands through an input field, and here it gave the intruders an initial foothold on Heartland's corporate network.

From there the crew worked patiently — for months — to pivot into the payment-processing environment itself. Once inside, they deployed sniffer malware that read card-track data as it traversed Heartland's internal network unencrypted during the brief window between receipt and forwarding to the card brands. Because the data was captured in transit at the processor, the haul spanned a vast number of merchants and cardholders.

How it was run

The intrusion was orchestrated by Albert Gonzalez, the same operator behind the TJX breach, working with two co-conspirators the U.S. Department of Justice located in Russia. The 2009 indictment described a coordinated campaign — informally branded "Operation Get Rich or Die Tryin'" — that also hit Hannaford Brothers and 7-Eleven. Stolen track data was sold or encoded onto counterfeit cards.

Impact

An estimated 130 million card numbers were exposed across roughly 175,000 merchants.
Heartland's total costs, including settlements and fraud reimbursement, exceeded $200 million; the company reported paying out well over $140 million in compensation.
Heartland settled with Visa (up to roughly $60 million) and MasterCard (around $41 million) issuers, among other agreements.
Albert Gonzalez was sentenced in 2010 to 20 years in federal prison.

Why it matters

Heartland reshaped how the payments industry thought about data-in-transit. The card numbers were technically protected at rest and in storage, but they crossed the internal network in the clear — and that was enough. In the breach's wake, Heartland's CEO became a vocal champion of end-to-end encryption for card data, helping push the industry toward point-to-point encryption and, eventually, tokenization and EMV chip adoption. The case remains a defining lesson that a payment processor is a single point of failure for millions of merchants, and that PCI-DSS compliance at a point in time does not guarantee security against a determined intruder.

Timeline

January 1, 2007

Attackers compromise a Heartland corporate web application via SQL injection, establishing an initial foothold on the network.

January 1, 2008

The crew pivots into Heartland's payment-processing environment and installs sniffer malware that captures card data as it crosses the network unencrypted.

October 1, 2008

Card brands alert Heartland to suspicious activity tied to cards processed through its systems, prompting an internal investigation.

January 20, 2009

Heartland publicly discloses the breach, estimating that data from up to 130 million card transactions may have been exposed.

August 17, 2009

The U.S. DOJ indicts Albert Gonzalez and two Russian co-conspirators for the Heartland intrusion and related attacks.

January 1, 2010

Heartland reaches a settlement of up to roughly $60 million with Visa to resolve issuer claims.

May 19, 2010

Heartland agrees to a settlement of around $41 million with MasterCard issuers.

March 25, 2010

Albert Gonzalez is sentenced to 20 years in federal prison for the Heartland, TJX, and related breaches.

Sources

justice.govhttps://www.justice.gov/archives/opa/pr/alleged-international-hacker-indicted-massive-attack-us-retail-and-banking-networks

bankinfosecurity.comhttps://www.bankinfosecurity.com/heartland-data-breach-tjx-hacker-indicted-for-crime-a-1716

theregister.comhttps://www.theregister.com/2010/05/20/heartland_mastercard_settlement/

proofpoint.comhttps://www.proofpoint.com/us/blog/insider-threat-management/throwback-thursday-lessons-learned-2008-heartland-breach

hsgac.senate.govhttps://www.hsgac.senate.gov/wp-content/uploads/imo/media/doc/TestimonyCarr20090914.pdf

Related incidents

Data breachOngoingJune 2, 2026

DentaQuest ShinyHunters data breach exposes 2.6 million accounts (2026)

Dental benefits administrator DentaQuest confirmed a network breach after the extortion group ShinyHunters leaked roughly 234 GB of stolen data, exposing personal, identity, and health-insurance information tied to about 2.6 million accounts.

Victim: DentaQuest
Records: 2.6M

Data breachResolvedOctober 2, 2014

JPMorgan Chase data breach

Attackers exploited a server missing two-factor authentication to breach more than 90 JPMorgan Chase servers and steal contact details for 76 million households and 7 million small businesses — one of the largest intrusions ever into a U.S. financial institution.

Victim: JPMorgan Chase
Records: 83.0M

Data breachOngoingJune 7, 2026

Baker Distributing ShinyHunters Salesforce data-extortion leak (2026)

After negotiations stalled, the ShinyHunters extortion crew published data it claimed to have stolen from Baker Distributing's Salesforce and SharePoint systems, exposing more than 100,000 customer email addresses and contact records.

Victim: Baker Distributing Company
Records: 102.9K

Data breachUnknownMay 21, 2026

23,685 records: claimed leak at ATOA

A threat actor put a database from ATOA — a French real-estate tokenization and fractional-investment fintech — up for sale on a dark web forum, exposing roughly 23,685 user and financial records plus 326 full KYC archives containing passports, ID cards and banking details.

Victim: ATOA
Records: 23.7K