TJX Hacker Gets 20 Years In Prison
By Kim Zetter March 25, 2010 | 2:02 pm | Categories: Breaches, Crime, Hacks and Cracks
BOSTON — Convicted TJX hacker Albert Gonzalez was sentenced to 20 years in prison on Thursday for leading a gang of cyberthieves who stole more than 90 million credit and debit card numbers from TJX and other retailers.
The sentence for the largest computer-crime case ever prosecuted is the lengthiest ever imposed in the United States for hacking or identity-theft. Gonzalez was also fined $25,000. Restitution, which will likely be in the tens of millions, was not decided Thursday.
Clean-cut, wearing a beige jail uniform and wireframe glasses, the 28-year-old Gonzalez sat motionless at his chair during Thursday’s proceedings, his hands folded in front of him.
Before the sentence was pronounced, Gonzalez told the court he deeply regrets his crimes, and is remorseful for having taken advantage of the personal relationships he’d forged. “Particularly one I had with a certain government agency … that gave me a second chance in life,” said the hacker, who had worked as a paid informant for the Secret Service. “I blame nobody but myself.”
“I violated the sanctity of my parents’ home by using it to stash illegal proceeds,” said Gonzalez. He asked for a lower sentence “so I can one day prove to [my family] that I love them as much as they love me.”
The hacker’s voice cracked and his gaze drifted to the floor as he finished his statement. His father, mother and sister sat in the front row of the gallery; Gonzalez’s father’s eyes reddened and he held a tissue to his face.
Gonzalez, who once dubbed his criminal enterprise “Operation Get Rich or Die Tryin’,” had argued in court filings that his only motive was technical curiosity and an obsession with conquering computer networks. But chat logs the government obtained showed Gonzalez confiding in one of his accomplices that his goal was to earn $15 million from his schemes, buy a yacht and then retire.
The hacker had faced a sentence of between 15 and 25 years for the TJX string of intrusions. The government sought the maximum, while Gonzalez sought the minimum, on grounds that he suffered from Asperger’s disorder and computer addiction, and that he cooperated with the government extensively against his U.S. co-conspirators and two Eastern European hackers (known only as “Grigg” and “Annex”). Gonzalez even provided the government with information about breaches that had not yet been detected.
Albert Gonzalez at the 2001 DefCon hackers' convention in Las Vegas
A psychiatrist who examined Gonzalez for prosecutors, however, found no evidence of Asperger’s disorder or computer addiction. At Thursday’s hearing, assistant U.S. attorney Stephen Heymann urged the court to hand down a 25-year sentence that would strongly deter future Albert Gonzalezes from a life of cybercrime.
Gonzalez “conned law enforcement once before with the idea that he had seen the error of his ways,” said Heymann. “What matters is that teenagers and young people not look up to him.”
Defense attorney Martin Weinberg argued the minimum 15-year sentence would be sufficient to set an example. “That’s an enormous, devastating sentence … and a compelling and clear message to anyone looking at this case that they would suffer what he has suffered.”
In splitting the difference, U.S. District Judge Patti Saris credited Gonzalez for his apparent remorse, and his bond with his family. But Saris said she was disturbed by the fact that he committed his crimes while working for the government. She explained the low $25,000 fine by predicting her restitution order, to be set at a future hearing, will be sizable.
“You’re never possibly going to be paying back all the restitution that’s going to be ordered,” said Saris.
The government claimed in its sentencing memo that companies, banks and insurers lost close to $200 million, and that Gonzalez’s credit and debit card thefts “victimized a group of people whose population exceeded that of many major cities and some states.”
Gonzalez’s crimes were committed mostly between 2005 and 2008 while he was drawing a $75,000 salary working for the U.S. Secret Service as a paid undercover informant.
The sentence is for two criminal cases that were consolidated and that concern hacks into TJX, Office Max, Dave & Busters restaurant chain, Barnes & Noble and a string of other companies.
The drama in the case continued up to the last minute when Gonzalez attempted last week to contest the monetary losses attributed to the TJX intrusion. The defense served the company with a subpoena seeking documentation to back its assessment that it suffered $171.5 million loss, a figure that the judge will take into consideration when she decides what restitution Gonzalez will have to pay.
Gonzalez’s attorney argued in court documents that some of the losses were the result of TJX’s own negligence. Gonzalez should not be responsible, for example, for the cost of security upgrades the company implemented after the breach — upgrades that, had they been in place before, might have prevented the intrusion.
According to documents filed in a class-action lawsuit against the retailer, TJX had failed to notice 80 gigabytes of data being siphoned from its network over seven months beginning in July 2005. A 2004 audit of the company’s network had also found “high-level deficiencies” in its security practices.
On Wednesday, TJX sought to quash the 11th-hour subpoena, calling it a “diversion and a sideshow.” In a motion and memo filed with the court, the company took issue with Gonzalez’s characterization of its security. (.pdf)
“TJX firmly denies that it was negligent, but it is not on trial in this proceeding,” the company wrote. “Defendant’s responsibility for the loss suffered by TJX is not mitigated by accusations against TJX.”
The company pointed out that at least 11.2 million payment cards were stolen from the TJX intrusion alone. If the government calculated the potential loss at $500 per card (per federal guidelines) the impact of the intrusion would exceed $400 million.
The string of hacks began in 2005 when Gonzalez and accomplices conducted war-driving expeditions along a Miami highway and other locations in search of poorly protected wireless networks, and found easy access into several retailer networks.
Once inside a local TJX outlet’s network, the hackers forged their way upstream to its corporate network in Massachusetts. Gonzalez obtained a packet sniffer from best friend Stephen Watt, which he and accomplices installed on the TJX network to siphon transaction data in real time, including the magstripe data on the credit and debit cards.
The stolen magstripe data was routed to servers Gonzalez leased in Latvia and Ukraine, and ultimately passed to master Ukrainian card seller Maksym “Maksik” Yastremskiy, who peddled them to other carders in the underground, accepting payment through web currencies, such as E-Gold and Web Money, or direct bank-account deposits to Eastern Europe. Maksik’s customers programmed the magstripe data onto counterfeit credit cards.
Yastremskiy, whom authorities say earned $11 million from card sales, was captured in Turkey in 2007 while on vacation and was sentenced in 2009 to 30 years in prison by a Turkish court. U.S. authorities seized a treasure trove of data from his computer that helped build a case against Gonzalez.
Some of Gonzalez’s breaches were the first known intrusions to involve the decryption of PIN codes, the holy grail of bank card security. According to court documents, Gonzalez sought out accomplices in Eastern Europe to crack the PINs. Gonzalez’s associates programmed blank cards with debit card magstripe data and used them with the stolen PINs to siphon money from ATMs.
Authorities found 16.3 million stolen card numbers on Gonzalez’s leased Latvian server. Another 27.5 million stolen numbers were found on the server in Ukraine.
But this wasn’t the first of Gonzalez’s carding crimes. His initial run-in with law enforcement began in 2003, when he was arrested for making fraudulent ATM withdrawals in New York. Under the nickname “Cumbajohnny,” he was at the time a top administrator on a carding site called Shadowcrew, where crooks trafficked in stolen bank card data and other goods.
When the Secret Service discovered his central role in the carding community, the agency cut him loose and put him to work undercover on the site, where he lured his associates into using a supposedly secure VPN for their internet traffic, which was actually wiretapped by the Secret Service’s New Jersey office.
The undercover sting operation, known as “Operation Firewall,” ended in October 2004 with coordinated raids that resulted in the arrest of 28 members of the site, which agents subsequently closed.
At that point, Gonzalez, still on pre-trial release from his 2003 arrest, moved back to Miami. He continued to help the Secret Service, though he was now on salary with the agency earning $75,000 a year.
Simultaneous to his government crime-fighting work, however, he adopted a new nick, “segvec,” and resumed his criminal activity under the noses of the agents who were paying him, ramping up his activities to a level that far exceeded any crimes he’d committed before his arrest, or any staged by the Operation Firewall defendants.
Authorities, who had no idea the “segvec” they were furiously chasing for more than a year was their salaried informant, finally figured it out and nabbed Gonzalez in May 2008. A few months later, during interrogations, he directed authorities to a stash of $1.1 million in cash that he’d buried in a barrel in the backyard of his parents’ home.
In addition to this cash, the government has seized Gonzalez’s Miami condo, a 2006 BMW, a Glock 27 firearm, a currency counter, a Tiffany diamond ring given to his former fiance and three Rolex watches that Gonzalez gave to his father and others as gifts.
Gonzalez’s sentencing this week follows two others related to the TJX hacks. Last December, Stephen Watt, a former coder for Morgan Stanley, was sentenced to two years in prison for providing the sniffer that Gonzalez used in the TJX hack. Watt was also ordered to pay restitution to TJX, jointly with other accomplices, in the amount of $171.5 million.
Earlier this month, Humza Zaman, a former network security manager at Barclays Bank, was sentenced to 46 months in prison and fined $75,000 for serving as a money courier for Gonzalez. He was charged with laundering between $600,000 and $800,000 for Gonzalez.
Gonzalez’s sentence is among the stiffest imposed for a financial crime, and the longest U.S. prison term in history for hacking. It beats out a sentence recently imposed on hacker Max Ray Vision, who received 13 years in prison for similar crimes.
On Friday, Gonzalez will be sentenced in another case involving breaches at Heartland Payment Systems — a New Jersey card-processing company — Hannaford Brothers supermarket chain, 7-Eleven and two national retailers that are unidentified in court documents. These hacks involved more than 130 million debit and credit card numbers. He faces a likely sentence of between 17 and 25 years in that case.
Under the plea agreements, the sentences will be served concurrently.
Top photo of Albert Gonzalez courtesy of Stephen Watt
Secret Service Paid TJX Hacker $75,000 a YearGonzalez Accomplice Gets Probation for Selling Browser ExploitTJX Hacking Conspirator Gets 4 YearsFormer Morgan Stanley Coder Gets 2 Years in Prison for TJX HackTJX Hacker Was Awash in Cash; His Penniless Coder Faces PrisonTJX Hacker ‘Will Never Commit Any Crime Again’Document Reveals TJX Hacker’s Assistance to ProsecutorsIn Gonzalez Hacking Case, a High-Stakes Fight Over a Ukrainian’s LaptopTJX Hacker Charged With Heartland, Hannaford Breaches Former Teen Hacker’s Suicide Linked to TJX Probe Indicted Federal Informant Allegedly Strong-Armed Hacker Into Caper That Drew 9-Year SentenceTJX Failed to Notice Thieves Moving 80-GBytes of Data on Its Network
Tags: Albert Gonzalez, breach, carding, gonzalez, hack, tjx
Posted by: Gewburr | 03/25/10 | 3:02 pm |
I don’t get it. Are we supposed to somehow feel sympathy?
Posted by: louis | 03/25/10 | 3:05 pm |
Well done! Now if they could just have the same courage to go against spammers who steal a great deal of valuable bandwidth, and a some of my attention span too, that would be great!
Posted by: Bruckley | 03/25/10 | 3:07 pm |
Taxpayers get to pay $50,000 a year for the next 20 years for this one prisoner alone.
Posted by: baywatersport | 03/25/10 | 3:12 pm |
I am starting to think getting rid of all of my credit cards and using only a debit card was a bad idea. At least with credit cards, it’s not MY money that’s getting stolen.
Posted by: deckard68 | 03/25/10 | 3:18 pm |
Awesome. This is a real victory for the public, and a good sign that people now understand that computers can be either a tool or a weapon. To the commenter complaining that incarceration costs $50,000 a year, that amount is far less than the millions of dollars in damage he’d cause on the outside world. (And again, are we supposed to feel sympathy for the creep because he shares an interest in computers? Or because he has an interesting haircut? Please. He’d just as soon steal your money, Bruckley, as he would anyone else’s.)
Posted by: TheLandShark | 03/25/10 | 3:26 pm |
Poor sod. Better luck next life.
Posted by: kohutique | 03/25/10 | 3:26 pm |
@Bruckley: It’s still a bargain, compared to the $75,000 the government paid him before
Posted by: roebling | 03/25/10 | 3:38 pm |
Terrible. Shoplifters do more harm and scarcely spend a night locked up. He should have gotten 3 months, tops, and 5 or 7 years working to secure gov’t sites, under supervision, and testing their security by trying to hack into them. No safe cracker gets 20 years. It’s embarrassing to be an American, today.
Today, when every newscast has another example like this of how sorry our government’s leadership has become.
Posted by: CandyMan | 03/25/10 | 3:56 pm |
@roebling, please reread the article. They tried that once and he turned around and started breaking the law again. 20 yrs. is just about right for a two time loser.
@Bruckley, it’s only $50k/yr because lefties think having gyms and HBO in prison is a birthright. If Sheriff Joe in Arizona ran the Federal prison system it would be more like $1k/yr.
Posted by: rtwlff | 03/25/10 | 4:06 pm |
Smart enough to hack 90 million card numbers but not smart enough to delete incriminating e-mails and cyber evidence.
Since financial institutions still run our country they will tell our justice system how “dangerous” these hackers are.
BUT if you don’t take the opportunity the Feds give you after working for them you really can not complain when they screw you.
Posted by: ShaJ | 03/25/10 | 4:25 pm |
In the Name of “National Security” I demand the immediate release of his Secret Service Asset, ASAP, thank you.
Posted by: aurispector | 03/25/10 | 5:04 pm |
Only 20 years? Boy, did he earn that. Why do people think “Cyber” crime is somehow different?
Posted by: perlpimp | 03/25/10 | 6:48 pm |
To get more time then most rapists and murderers is a bit much. Such a smart albeit misguided person can be quite useful, deploy him to hack into China’s military facilities. Use him instead of punishing him.
Posted by: ShaJ | 03/25/10 | 7:13 pm |
@perlpimp, Great Idea, let’s make him a deal, 2 Years Community service at the NSA, targeting the PRC. Working against the PRC and dodging all the sick perverts at the NSA should be punishment enough for this young Dude.
Posted by: fpwired | 03/25/10 | 7:21 pm |
Seems to be a bit much. He’s obviously a smart kid. And the fact that he’d continue to hack while pulling in $75k for such an easy job would seem to indicate some obsessive mental issue.
Meanwhile, we have armed bank robbers pulling far less time in prison.
Our justice system is seriously screwed up. I doubt the judge even knows how to use a computer beyond surfing College Girls Gone Wild websites when his wife isn’t looking. fat f**k.
Posted by: Eightbyte | 03/25/10 | 10:39 pm |
Do you prefer he continue to steal money from everyone? Because I’m sure it’d be more than ~$1,000,000.
Posted by: poppa_p | 03/25/10 | 11:43 pm |
We try and make our own personal computers safe from cyber criminals, but we can not garentee how safe data about us is stored by someone else.
He is clever and should serve his time using his skills to show how week computer security systems are.
Posted by: davidsalvatore333 | 03/26/10 | 1:27 am |
I am passionate about spreading ferret information and proper ferret care information.
Posted by: Nym | 03/26/10 | 2:28 am |
Compare him to the twitter hacker who didn’t steal anything… He stole a lot of money, and caused harm to a lot of people. Of course he’s going to go to prison for a long time. Hacking and theft are not the same thing, even if one is used to accomplish the other too much of the time now.
Posted by: technophile | 03/26/10 | 3:00 am |
This guy is small potatoes. He stole millions from the banks? How about the billions that banks have stolen from us with their bailouts? When is the sentencing for Lloyd Blankfein, Ken Lewis, Hank Paulson, Tim Geithner, Ben Bernanke, et. al.?
Posted by: Generalities | 03/26/10 | 6:01 am |
I’d be the last person to defend some of the current sentencing guidelines and a good bit of the prison system. However I’m damn glad that for one they managed to track him down and that they were then able to convict him and several of his accomplices (though I do think some of them got a bit shafted all things considered, they happened to be unlucky enough to be caught up in a showcase trial with showcase sentences).
Considering his impact I do think he deserved Prison and/or some other extended punishment. Then again I seriously hope that he doesn’t end up in some of the seriously bad prisons which do exist in the US. Where is he likely to be incarcerated anyway? I also hope that he does manage to do something constructive in the future.
As a final aside I find it interesting how hackers are treated differently from other fraudsters and other white collar criminals. They are treated as actual crooks as opposed to of the other embezzlers, crooked comapny executives etc.
Posted by: Xelliz | 03/26/10 | 8:02 am |
Only 20 years…thats not too bad. He’ll be 48 if he doesn’t get out early. So thats plenty of time to be an old man…have fun.
Posted by: amesshawn | 03/26/10 | 11:24 am |
TTTT, I think that they should continue to employ this guy from jail! This is just really scary though, the whole information war going on. If this guy can do this, what about the real pros in China!!
Posted by: bobnjersey | 03/26/10 | 11:48 am |
[We try and make our own personal computers safe from cyber criminals, but we can not garentee how safe data about us is stored by someone else.
He is clever and should serve his time using his skills to show how week computer security systems are.]
no data stored on computers is safe. if you have something you don’t want others to have or see … put it in your back pocket. not that anyone really needed him to show this … but computer security systems can be and will be exploited as long as those making the hardware/software are immune from liability for the exploitations of their products.
AutopiaEpicenterDanger RoomGadget LabGame|LifeGeekDadPlaybookRaw FileReviewsThis Day in TechThreat LevelUnderwireWired ScienceWired Magazine
View Full SiteFollow Wired on TwitterFollow Wired on FacebookFollow Wired on RSS
Wired.com © 2010 Condé Nast Digital. All rights reserved.
The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast Digital.