And the winner is…Heartland Payment Systems for the single largest data breach in US history. Heartland is a business that provides payment transactions, which means it acts as an intermediary between merchants and the banks and clearly has a significant amount of personal customer data stored on its systems. The data that were stolen, as I am sure you have already guessed, were payment card data (130 million credit card numbers, expiration dates, and cardholder names). The Heartland Payment System’s hacker, who also is responsible for the TJX breach in 2007, used an SQL (structured query language) injection that exploited the vulnerabilities in the database layer of the company’s website with simple database commands. SQL injections are unfortunately not uncommon and have been part of other data breaches. Table 3.1 shows some other large data breaches.