The Mother of All Data Breaches

Emily Holbrook


November 1, 2010

Heartland Payment Systems is the sixth largest credit card processor in the United States, administering 100 million payment card transactions per month for more than 250,000 merchants. So when a crook breached Heartland's data security in 2008 and stole 130 million credit card numbers, it made headlines worldwide.

The man behind the scheme was a former Secret Service agent whose role as an undercover computer crime informant earned him a $75,000 annual salary. Apparently unsatisfied with his law-abiding life and paycheck he presumably perceived as too small, he enlisted friends to exploit security weaknesses at Heartland and steal millions of dollars from unsuspecting victims in the largest data breach in U.S. history.

These types of breaches are nothing new, however. And while companies in every industry are becoming increasingly aware of their vulnerabilities to cybercriminals and the staggering costs incurred after a breach, Congress is taking action.

Late 2008
A team of identity thieves, led by 28-year-old Albert Gonzalez, hacked into the computers used by Heartland Payment Systems and stole a reported 130 million credit card numbers.

January 2009
The data breach was finally discovered. Heartland's president admitted the company did not know how long the malicious software was in place, how it got there or how many accounts had been compromised.

August 2009
Albert Gonzalez was indicted in New Jersey on charges of not only masterminding the Heartland attack but for perpetrating, among others, the 2007 breach of TJX Companies, which exposed the data of almost 47 million credit and debit cards-a record number at the time. It was found that Gonzalez copied the data encoded on the cards' magnetic stripe then installed this information on fabricated credit cards, which he used liberally. He plead guilty to all 19 charges he faced.

March 2010
On March 25, Albert Gonzalez was sentenced to 20 years in federal prison, the longest sentence ever imposed in the United States for hacking or identity theft crimes. He also had to forfeit more than $1.6 million in cash and numerous possessions including his Miami condominium, BMW, laptop computers, Tiffany ring and Rolex watches.

May 2010
MasterCard and Heartland agreed to a payment arrangement in which the card processor will fund up to $41.4 million in reimbursement expenses if a security breach occurs.

July 2010
Senators Mark Pryor (D-AR) and John Rockefeller (D-WV) introduced to Congress the Data Security Act of 2010, a bill that, if signed into law, would require all organizations to alert victims of a breach within 60 days and provide them with two years of credit monitoring services free of charge. The bill would also require businesses and nonprofits to implement policies to protect sensitive data.

September 2010
Heartland agreed to pay $5 million to Discover Financial Services to settle security breach claims from the massive 2008 cybertheft. This marked the final agreement with a card brand related to the record-setting data breach.


Emily Holbrook is the founder of Red Label Writing, LLC, a writing, editing and content strategy firm catering to insurance and risk management businesses and publications, and a former editor of Risk Management.