BOSTON — A hacker who helped TJX hacker Albert Gonzalez and others gain access to corporate networks was sentenced to 7 years and one day on Monday. Christopher Scott, 27, pleaded guilty to breaching the wireless access points of several retailers between 2003 and 2007 to siphon credit and debit card numbers, which he then passed to Gonzalez. Prosecutors say that together the men pilfered nearly 20 million credit and debit cards, which retailers say led to $200 million in losses from fraud.
They used the cards to obtain cash advances from ATMs or sold the account information to other carders, who encoded the data to blank and counterfeit bank cards for fraudulent use. Scott’s take from the crimes was at least $400,000, according to prosecutors. He was paid in cash and with pre-paid bank cards and used the money to rent limos and partied with up to 10 women at a time, prosecutors say, and later bought a car, jewelry and $400,000 house.
The government is seeking forfeiture of $400,000, nine computers and an array of other electronic goods from Scott. Restitution will be determined at a future hearing.
Scott, who is married and has a 6-year-old stepdaughter, has been living with his family under home detention, with electronic monitoring, in his mother’s Miami house for about two years since his May 2008 arrest. During Monday’s hearing Scott, who wore glasses, black pants and a beige plaid shirt, broke down crying while making a statement to the court.
“I feel terrible for what I’ve done,” he said. “Over the past two years I have thought a lot about my bad decisions. . . . I am committed to being a positive part of society.”
His young wife, seated next to his mother and uncle, wiped tears from her eyes with the sleeve of her black turtleneck sweater.
Scott, whom authorities describe as a “junior partner” and a “valued lieutenant” in Gonzalez’s criminal enterprise, faced a life sentence prior to his plea agreement, but the agreement brought that down to a maximum sentence of 22 years and a minimum of $750,000 in fines. Prosecutors sought 13 years in prison and restitution in the amount of $189 million.
“The case before this court will be a benchmark for other computer hackers and identity thieves,” prosecutors wrote in their sentencing memo, “and there is no shortage of them out there…. There has never been a computer hacking and identity theft case … where the financial cost has been so dear or the breadth of the personal victimization so large.”
His attorney sought three years in prison and two years probation, including one year of home detention and electronic monitoring, plus 480 hours of community service. He also asked that the court forego a fine or restitution.
But U.S. District Judge Douglas Woodlock, who sentenced TJX ringleader Gonzalez last week to 20 years in prison, said that hacking crimes “open up a Pandora’s box of harm to the community,” and that it was important to send a message to other youths who might follow in his footsteps that they will be punished. Although he contemplated giving Scott 10 years, he took into consideration the significant domestic responsibilities that Scott had assumed in helping to raise his step daughter and get his wife, a former cocaine addict, off drugs. Scott remains free, pending a self-surrender scheduled for May 7.
Scott’s illegal activity began in 2003 when he breached a BJ’s Wholesale Club through one of the company’s wireless access points, according to court records.
Then, in 2004, with his former best friend Jonathan James, he also gained access to Office Max’s network through an unsecured wireless access point while “war driving” along U.S. Highway 1 in Miami. He also compromised networks belonging to Boston Market, Sports Authority and numerous other retailers.
Authorities say Scott, with Gonzalez or James, cruised up and down the highway for vulnerable access points; once they discovered one, they’d sit in their car or in a nearby rented room and work on breaching the network perimeter to find card data in transit or stored in databases on company networks.
In July 2005, he obtained access to TJX through two wireless access points at Marshall’s stores and from there moved up to the corporate network at TJX headquarters in Framingham, Massachusetts.
In May 2006, Scott set up an encrypted VPN connection to TJX’s card transaction system and installed sniffer programs on the network to capture password and account information as well as card data. The program would then send the captured data back through the encrypted VPN channel to a server Gonzalez controlled.
It was Scott, prosecutors say, who “spent hour upon hour stealing tens of millions of credit and debit” data from retailers. DSW, a national shoe retailer, says that Scott stole more than 1 million card numbers from its network and caused losses between $6.5 million and $9.5 million; TJX reported that Scott stole 11 million card numbers from its network and caused losses of about $170 million.
Scott also used tools provided by Gonzalez to decrypt PINs associated with bank cards.
Banks and insurers claim to have lost about $200 million from the intrusions, which prosecutors say is among the largest losses ever recorded nationwide and is “five times as large as those caused by any individual ever convicted” in Massachusetts, except for Gonzalez himself.
Scott, like many of his cohorts in the TJX conspiracy, was a self-taught tech geek. He got his first computer at the age of 10 and promptly took it apart and re-assembled it, to the astonishment of his mother and dismay of his father, who tried unsuccessfully to direct his son to outdoor interests and sports.
In 1999, Scott disabled all the computers in his school with a virus and was told to leave school or be expelled. He left.
Scott, who was known online as “UT” for “Untouchable,” has prior arrests for possession of marijuana, loitering and grand theft, though most of the charges were dismissed, according to court records. He smoked marijuana daily, allegedly to deal with symptoms related to an attention deficit hyperactivity disorder. When authorities searched his house in 2008 in relation to the TJX hack, they found a marijuana “grow lab” and “numerous firearms.”
His lawyer told the court that while growing up in Miami, the defendant was bullied and teased throughout his teens for obesity and lack of social skills. He found acceptance and camaraderie only among other hackers at meetings of his local 2600 group – regional groups formed by readers of the 2600 hacking magazine. It was in this group that he met James as well as Gonzalez.
Around 2003, Gonzalez talked Scott into hacking into various retailers’ wireless networks to obtain card data. He was happy to participate for about four years but stopped in late 2007, about seven months before he was arrested in May 2008. The bust was the first of three life-changing events for him.
Shortly after Scott’s arrest, James, 24 and Scott’s “one dear friend,” killed himself with a shotgun about two week after Secret Service agents raided his home in connection with the hacks into TJX, OfficeMax and other retailers. In his suicide note, James, who suffered from depression, said he was innocent of the TJX intrusion, but mistrusted the justice system and felt he had no control over the situation; he was certain prosecutors would make a scapegoat of him.
Then in July, Scott’s father died of cancer in Arkansas. Scott was unable to be by his side at the time, due to court obgligations.
Scott, whom authorities called a “teenage misfit on a foolish frolic,” pleaded guilty to his crimes but his lawyer maintains, in his sentenceing memo, that Scott “had never done anything with [the data] he had found nor had he even appreciated what the data was.” Gonzalez taught him how to find card data on a network, the memo said, and also provided Scott with the sniffer program to intercept it. Once he obtained the data, he handed it off to Gonzalez.
“Mr. Scott had neither the criminal expertise nor the awareness that such an enterprise could even be possible,” the memo states. He also “never expected that losses would reach anything close to the loss figure alleged.”
His attorney likened Scott’s role in the conspiracy to that of Stephen Watt who wrote the sniffer program that was used in the TJX hack. Watt was sentenced to two years last December for his role in the breach.
But there’s a difference between Watt’s involvement and that of Scott; Watt was never accused of entering the breached networks, just with providing a tool that helped others do so. Whereas Scott acknowledges entering the networks, retrieving data and passing it to Gonzalez. Scott also acknowledged profiting from the spoils to the tune of hundreds of thousands of dollars.
Assistant U.S. attorney Stephen Heymann told the court that Scott only stopped working with Gonzalez in 2007 because his skill set was no longer needed. Instead of breach networks through wireless access points — Scott’s specialty — Gonzalez and crew switched to attacking corporate networks with SQL injection attacks aimed at their vulnerable web sites.
At that point, his utility and skills “fades out like General [Douglas} MacArthur,” Heymann said, and Gonzalez brings other accomplices on board.
By Kim Zetter
March 29, 2010