The Web Hacking Incidents Database Blog

Until today, the CardSystems incident, probably the most well known information security breach ever, was mentioned in WHID only in the FAQ. It was mentioned as an example of an incident that we would like to add to WHID but cannot because there is no public information about how the hack was done. Today, nearly a year after it was initially publicized, it was added to this database. While we always suspected that it was a web hack and industry rumors hinted that, no public information regarding the way in which the hack was done was available until now.

Most are already familiar with the infamous CardSystems incident where hackers stole 263,000 credit card numbers, exposed 40 million more and several million dollars fraudulent credit and debit card purchases had been made with
these counterfeit cards. As a result of the breach CardSystems nearly went out of business and was eventually purchased by PayByTouch. CardSystems is considered by many the most severe publicized information security breach ever
and it caused company share holders, financial institutes and card holders damage of millions of dollars.

Recently new articles about the case revealed that SQL injection was used by the attackers to install malicious script on the CardSystems web application database which where scheduled to run every four days, extract records, zip them
and export them to an FTP site. You can links to those articles in CardSystems entry WHID 2004-17.

This is one of the most stunning examples where a web application security hole was used to launch a targeted attack in order to steal money.

I’ve recently added to the database an old incident. In March of 2003 a hacker broke into the computers of the University of Texas in Austin and stole more than 55,000 social security numbers. Since at universities the networks are many times wide open, I dismissed the incident at the time as another network based hack.

A note posted in one of the mailing list made me go and check the incident again. I found out that the hacker penetrated a database, not a web application, but not a network layer attack either. I continued my research in order to determine what database is was and found out that it was txClass. Now, what database can this be?  I certainly haven’t heard of such a product before. Well txClass is a web based application, which was referred to in the news stories as a ”database” since it does manage a database.

So this was a web application layer hack. I even managed to find out what the hack was: the hacker brute forced the system by trying large ranges of social security numbers.

This incident shows how little we actually know about published incidents and hints that many of the incidents that I do not include WHID might actually be related to the application layer.