A Miami-based hacker plead guilty this week for his role in orchestrating a series of massive data security breaches that bilked retailers and financial firms of tens of millions of credit and debit cards.
Albert Gonzalez, 28, plead guilty in federal court in Boston to conspiring to hack into computer networks operated by Heartland Payment Systems, 7-Eleven, Hannaford Brothers Co. Inc. and other retailers. Under the terms of the plea agreement, Gonzalez could face between 17 and 25 years in prison for his role in the breaches.
The credit card heist is said to have affected more than 250 financial institutions. In September, Gonzalez plead guilty to 19 counts of conspiracy, fraud and aggravated identity theft relating to hacking into numerous major U.S. retailers including TJX Co., BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble and Sports Authority. He was charged along with two Russian hackers for the attacks. He also plead guilty to one count of conspiracy for his role in the data breach at the Dave & Buster's restaurant chain.
String of data breaches:
Payments processor discloses massive data breach: Company says an intrusion of its processing system may be part of a broader fraud operation.
Data breach at TJX could affect millions: Retailer TJX Companies said a hacker gained access to its systems exposing the credit card data of millions of customers.
Trio indicted in restaurant data security breach: The three men allegedly deployed packet sniffers designed to capture Track 2 magnetic strip credit card data from 11 Dave & Buster's restaurants.
TJX faces data audits for 20 years under FTC settlement: TJX Cos Inc. agreed to implement tighter security and obtain independent audits every other year for 20 years, according to a settlement reached with the Federal Trade Commission.
"Criminals like Albert Gonzalez who operate in the shadows will be caught, exposed and held to account," said Assistant Attorney General Lanny A. Breuer, in a statement released by the Attorney General's office in Boston. "Indeed, with timely reporting of data breaches and high-tech investigations, even the most sophisticated hacking rings can be uncovered and dismantled, as our prosecutors and agents demonstrated in this case."
Investigators said Gonzalez leased several servers and gave access to other hackers, knowing they would use them to store malware used to launch attacks against Heartland and the retailers. Gonzalez tested the malware by running it against multiple antivirus programs to ensure that it would avoid detection. TJX malware author gets two years for data breaches
The software programmer behind the sniffer malware program used in a spate of data breaches, including the massive TJX data breach was given a two year jail sentence and ordered to pay restitution to TJX.
Stephen Watt, 25, was sentenced to two years of jail time followed by 3 years of supervised release in which his computer use will be monitored. In addition, he was ordered to pay restitution in the amount of $171.5 million.
Watt pled guilty to conspiracy charges in October, 2008. He admitted to providing a modified sniffer program used to monitor and capture data, including customers credit and credit card information as it traveled across corporate computer networks.
Watt is one of more than 10 people charged in connection to a string of data security breaches between 2003 and 2008. The program was used in a spate of data breaches including the massive TJX breach in which 45 million credit and debit cards were stolen over an 18-month period. It was installed after hackers penetrated the retailer's Wi-Fi network. TJX was later criticized for collecting and retaining too much consumer data and taking too long to deploy the stronger WPA encryption protocol at its department stores.