Skip Links

20 years for notorious TJX hacker Gonzalez

Judge imposes two 20-year concurrent sentences for multimillion credit scam crook

By Nancy Weil, IDG News Service
March 25, 2010 03:42 PM ET

IDG News Service - Hacker mastermind Albert Gonzalez was sentenced Thursday in U.S. District Court to two concurrent 20-year stints in prison for his role in what prosecutors called the "unparalleled" theft of millions of credit card numbers from major U.S. retailers.

U.S. District Court Judge Patti B. Saris announced the concurrent sentences in two 2008 cases against Gonzalez, 28, a Cuban-American, who was born in Miami, where he lived when the crimes were committed.

Also read: Health privacy undermined: worst breaches of 2009

Gonzalez and co-conspirators hacked into computer systems and stole credit card information from TJX, Office Max, DSW and Dave and Buster's, among other online retail outlets, in one of the largest -- if not the largest -- cybercrime operations targeting that sort of data thus far. They then sold the numbers to other criminals. Gonzalez pleaded guilty to conspiracy charges in two cases related to those thefts last December and the following day entered a guilty plea in a third case involving hacking into computer networks of Heartland Payment Systems and the Hannaford Supermarkets and 7-Eleven chains. The Heartland hacking was particularly damaging because the company processes transactions for major credit and debit card companies Visa and American Express.

He is scheduled to be sentenced in the third case Friday in U.S. District Court for the District of Massachusetts. Gonzalez was indicted in New York, New Jersey and Massachusetts, with the cases eventually moved to the same federal court. Under terms of the plea deals, the U.S. Department of Justice agreed to seek sentences of no more than 25 concurrent years in prison in all three cases. After reviewing the cases following established sentencing guidelines that take into account various factors, including the effects of the crimes, the DOJ sought the maximum in two cases and 20 years in the other.

However, because the judge could decide to impose a lower sentence, defense attorney Martin Weinberg had argued that Gonzalez should be sentenced to 15 years for the two cases heard Thursday. While the government referred to the cases as "identity theft," they were instead thefts of data that did not involve stealing victims' identities to "invade their bank accounts, withdraw money, and ruin their credit," according to a court filing Monday in response to the DOJ's sentencing memorandum, which was filed last week.

Furthermore, Gonzalez "did not hack into government computer systems, he did not crash computer systems by spreading viruses or inundating them with spam, and he did not invade the privacy of individuals' computers to steal such data as passwords to compromise their financial life and invade their personal property," Weinberg wrote.

What's more, tens of millions of the stolen credit card accounts in the cases before Judge Saris Thursday "had expired and would therefore have no longer ... had credit limits at all," said the sentencing document.

The defense had further argued that Gonzalez was a substance-abusing, Internet addict with Asperger's syndrome -- a form of autism -- at the time of his crimes, so he should merit fewer years in prison. Also, one of the three unrelated cases cited by the DOJ in making its argument for longer sentences -- because there should be parity in sentencing similar crimes -- was much worse than what Gonzalez did, Weinberg said in the filing.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News