The CardSystems incident is finally part of WHID
Until today, the CardSystems incident, probably the most well known information security breach ever, was mentioned in WHID only in the FAQ. It was mentioned as an example of an incident that we would like to add to WHID but cannot because there is no public information about how the hack was done. Today, nearly a year after it was initially publicized, it was added to this database. While we always suspected that it was a web hack and industry rumors hinted that, no public information regarding the way in which the hack was done was available until now.
Most are already familiar with the infamous CardSystems incident where hackers stole 263,000 credit card numbers, exposed 40 million more and several million dollars fraudulent credit and debit card purchases had been made with
these counterfeit cards. As a result of the breach CardSystems nearly went out of business and was eventually purchased by PayByTouch. CardSystems is considered by many the most severe publicized information security breach ever
and it caused company share holders, financial institutes and card holders damage of millions of dollars.
Recently new articles about the case revealed that SQL injection was used by the attackers to install malicious script on the CardSystems web application database which where scheduled to run every four days, extract records, zip them
and export them to an FTP site. You can links to those articles in CardSystems entry WHID 2004-17.
This is one of the most stunning examples where a web application security hole was used to launch a targeted attack in order to steal money.