Online Theft: Made Possible by SQL injection{1}

by Jongwoo Y
In March 2010, Albert Gonzalez and his two Russian co conspirators were sentenced 17 to 25 years in prison. Why? Because they had completed the largest online theft case in history in 2010. Albert and his buddies decided to use SQL injection to hack into the databases of Heartland Payment Systems, a business that credit card companies and vendors use to process sales transactions (Albanesius, 2010). At the time, this was the largest case dealing with identity theft, ever. Victims included 130 million people with their different credit cards, and Gonzalez was able to extract $4 million from the event. SQL injection deals with the SQL language and sending commands to a database and receiving information that should not be allowed to retrieve. The first case of SQL injection that was reported was in 2005, when hackes decided to steal the information from customers at Petco (Albanesius, 2010). SQL injection is a much more riskier form of theft than simple trojans that are sent to user computers. This is because when SQL injection is in use, the risk for getting caught and facing harsh punishment is a much bigger factor than when you send a trojan to one consumer computer. In the article, there are some great tips on how to avoid this type of database breach. 1) Do not accept SQL statements directly. 2) Either use parameterized statements or processing each query to make it safe (Albanesius, 2010).

SQL injection is one of the scariest things in today’s database driven economy. The fact that hackers are able to use simple SQL commands to extort an enormous amount of data from databases including personal data such as credit cards, addresses, and social security numbers. If a hacker were to find information like that about you, they would actually be able to become you on the internet and create a difficult situation. This includes destroying your credit and buying expensive things as you while you have no idea what’s going on. Gonzalez and his crew could have easily made more than $4 million dollars from the 130 million credit card numbers that he had stolen. The only reason the number was stopped at $4 million was because he was caught before he could do more damage.

When I read articles like this it amazes me that companies can feel safe with leaving their customer information in such a vulnerable place. This type of topic is one of my favorites after blogging for this course. I believe more than half of my articles have to do with databases and their vulnerabilities. The fact that Heartland Payment Systems’ only business is to process sales and transactions and that they leave their database so vulnerable is a joke. There is nothing else for them to protect other than employee information. It is sad that innocent people have to suffer because companies are incompetent and cannot evolve their business practices with the type of technology they are using.

Albanesius, C. (2010, May 1). Pc mag. Retrieved from,2817,2363293,00.asp