In October 2008 Heartland Payment Systems discovered it had been breached. Albert Gonzalez and several other individuals hacked their way through an external company website using SQL injection — an attack that too often still works — to the core of Heartland’s systems. They were able to copy credit and debit card numbers and other data used in payment authorization.

At the time, that data enabled those who bought it to create new magstripe cards.

Some stats about the hack:

• Heartland’s stock price fell by 77% in the months following the attack.
• Some 130 million card numbers were exposed.
• Heartland paid $60 million in fines to Visa, over $40M to Mastercard, $5M to Discover, and $3.6M to AMEX.
• The business of signing up merchants to accept cards using Heartland’s services took a big hit.

To me, this is also something of a hero story. Because Heartland’s leadership, led by CEO Bob Carr, got angry. Yes, at the hackers. But more important they took that anger and frustration and used it to fill a gaping hole in card system security, way out in front of what the card systems themselves required.

I was fortunate enough to play a minor part in Heartland’s response. As an analyst, I got to know some key players who will tell their part of the story in this episode.