This entry is a very important one. Most are already familiar with the infamous CardSystems incident where hackers stole 263,000 credit card numbers, exposed 40 million more and several million dollars fraudulent credit and debit card purchases had been made with these counterfeit cards. As a result of the breach CardSystems nearly went out of business and was eventually purchased by PayByTouch. CardSystems is considered by many the most severe publicized information security breach ever and it caused company share holders, financial institutes and card holders damage of millions of dollars.

But since the publication of the incident a year ago the way in which the breach occurred remained a mystery.

Recently new articles about the case (listed below) revealed that SQL injection was used by the attackers to install malicious script on the CardSystems web application database which where scheduled to run every four days, extract records, zip them and export them to an FTP site.

This is one of the most stunning examples where a web application security hole was used to launch a targeted attack in order to steal money.

References:

• Cleaning up after a hack job: CardSystems' Christensen [Information Security (mirror)]
• FTC complain In the Matter of CardSystems Solutions [FTC]
• Midrange CardSystems Wiki [Midrange]
• CardSystems was a Web Application Hack [Cesar Cerrudo, Argeniss]
• CardSystems Exposes 40 Million Identities [Bruce Schneier]