TJX Hacker Gets 20 Years in Prison

BOSTON — Convicted TJX hacker Albert Gonzalez was sentenced to 20 years in prison on Thursday for leading a gang of cyberthieves who stole more than 90 million credit and debit card numbers from TJX and other retailers.

The sentence for the largest computer-crime case ever prosecuted is the lengthiest ever imposed in the United States for hacking or identity-theft. Gonzalez was also fined $25,000. Restitution, which will likely be in the tens of millions, was not decided Thursday.

Clean-cut, wearing a beige jail uniform and wireframe glasses, the 28-year-old Gonzalez sat motionless at his chair during Thursday’s proceedings, his hands folded in front of him.

Before the sentence was pronounced, Gonzalez told the court he deeply regrets his crimes, and is remorseful for having taken advantage of the personal relationships he’d forged. “Particularly one I had with a certain government agency … that gave me a second chance in life,” said the hacker, who had worked as a paid informant for the Secret Service. “I blame nobody but myself.”

“I violated the sanctity of my parents’ home by using it to stash illegal proceeds,” said Gonzalez. He asked for a lower sentence “so I can one day prove to [my family] that I love them as much as they love me.”
The hacker’s voice cracked and his gaze drifted to the floor as he finished his statement. His father, mother and sister sat in the front row of the gallery; Gonzalez’s father’s eyes reddened and he held a tissue to his face.
Gonzalez, who once dubbed his criminal enterprise “Operation Get Rich or Die Tryin’,” had argued in court filings that his only motive was technical curiosity and an obsession with conquering computer networks. But chat logs the government obtained showed Gonzalez confiding in one of his accomplices that his goal was to earn $15 million from his schemes, buy a yacht and then retire.

The hacker had faced a sentence of between 15 and 25 years for the TJX string of intrusions. The government sought the maximum, while Gonzalez sought the minimum, on grounds that he suffered from Asperger’s disorder and computer addiction, and that he cooperated with the government extensively against his U.S. co-conspirators and two Eastern European hackers (known only as “Grigg” and “Annex”). Gonzalez even provided the government with information about breaches that had not yet been detected.

A psychiatrist who examined Gonzalez for prosecutors, however, found no evidence of Asperger’s disorder or computer addiction. At Thursday’s hearing, assistant U.S. attorney Stephen Heymann urged the court to hand down a 25-year sentence that would strongly deter future Albert Gonzalezes from a life of cybercrime.

Gonzalez “conned law enforcement once before with the idea that he had seen the error of his ways,” said Heymann. “What matters is that teenagers and young people not look up to him.”

Defense attorney Martin Weinberg argued the minimum 15-year sentence would be sufficient to set an example. “That’s an enormous, devastating sentence … and a compelling and clear message to anyone looking at this case that they would suffer what he has suffered.”

In splitting the difference, U.S. District Judge Patti Saris credited Gonzalez for his apparent remorse, and his bond with his family. But Saris said she was disturbed by the fact that he committed his crimes while working for the government. She explained the low $25,000 fine by predicting her restitution order, to be set at a future hearing, will be sizable.

“You’re never possibly going to be paying back all the restitution that’s going to be ordered,” said Saris.

The government claimed in its sentencing memo that companies, banks and insurers lost close to $200 million, and that Gonzalez’s credit and debit card thefts “victimized a group of people whose population exceeded that of many major cities and some states.”

Gonzalez’s crimes were committed mostly between 2005 and 2008 while he was drawing a $75,000 salary working for the U.S. Secret Service as a paid undercover informant.

The sentence is for two criminal cases that were consolidated and that concern hacks into TJX, Office Max, Dave & Busters restaurant chain, Barnes & Noble and a string of other companies.

The drama in the case continued up to the last minute when Gonzalez attempted last week to contest the monetary losses attributed to the TJX intrusion. The defense served the company with a subpoena seeking documentation to back its assessment that it suffered $171.5 million loss, a figure that the judge will take into consideration when she decides what restitution Gonzalez will have to pay.

Gonzalez’s attorney argued in court documents that some of the losses were the result of TJX’s own negligence. Gonzalez should not be responsible, for example, for the cost of security upgrades the company implemented after the breach — upgrades that, had they been in place before, might have prevented the intrusion.

According to documents filed in a class-action lawsuit against the retailer, TJX had failed to notice 80 gigabytes of data being siphoned from its network over seven months beginning in July 2005. A 2004 audit of the company’s network had also found “high-level deficiencies” in its security practices.

On Wednesday, TJX sought to quash the 11th-hour subpoena, calling it a “diversion and a sideshow.” In a motion and memo filed with the court, the company took issue with Gonzalez’s characterization of its security. (.pdf)
“TJX firmly denies that it was negligent, but it is not on trial in this proceeding,” the company wrote. “Defendant’s responsibility for the loss suffered by TJX is not mitigated by accusations against TJX.”
The company pointed out that at least 11.2 million payment cards were stolen from the TJX intrusion alone. If the government calculated the potential loss at $500 per card (per federal guidelines) the impact of the intrusion would exceed $400 million.
The string of hacks began in 2005 when Gonzalez and accomplices conducted war-driving expeditions along a Miami highway and other locations in search of poorly protected wireless networks, and found easy access into several retailer networks.

Once inside a local TJX outlet’s network, the hackers forged their way upstream to its corporate network in Massachusetts. Gonzalez obtained a packet sniffer from best friend Stephen Watt, which he and accomplices installed on the TJX network to siphon transaction data in real time, including the magstripe data on the credit and debit cards.

The stolen magstripe data was routed to servers Gonzalez leased in Latvia and Ukraine, and ultimately passed to master Ukrainian card seller Maksym “Maksik” Yastremskiy, who peddled them to other carders in the underground, accepting payment through web currencies, such as E-Gold and Web Money, or direct bank-account deposits to Eastern Europe. Maksik’s customers programmed the magstripe data onto counterfeit credit cards.

Yastremskiy, whom authorities say earned $11 million from card sales, was captured in Turkey in 2007 while on vacation and was sentenced in 2009 to 30 years in prison by a Turkish court. U.S. authorities seized a treasure trove of data from his computer that helped build a case against Gonzalez.
Some of Gonzalez’s breaches were the first known intrusions to involve the decryption of PIN codes, the holy grail of bank card security. According to court documents, Gonzalez sought out accomplices in Eastern Europe to crack the PINs. Gonzalez’s associates programmed blank cards with debit card magstripe data and used them with the stolen PINs to siphon money from ATMs.

Authorities found 16.3 million stolen card numbers on Gonzalez’s leased Latvian server. Another 27.5 million stolen numbers were found on the server in Ukraine.

But this wasn’t the first of Gonzalez’s carding crimes. His initial run-in with law enforcement began in 2003, when he was arrested for making fraudulent ATM withdrawals in New York. Under the nickname “Cumbajohnny,” he was at the time a top administrator on a carding site called Shadowcrew, where crooks trafficked in stolen bank card data and other goods.

When the Secret Service discovered his central role in the carding community, the agency cut him loose and put him to work undercover on the site, where he lured his associates into using a supposedly secure VPN for their internet traffic, which was actually wiretapped by the Secret Service’s New Jersey office.

The undercover sting operation, known as “Operation Firewall,” ended in October 2004 with coordinated raids that resulted in the arrest of 28 members of the site, which agents subsequently closed.
At that point, Gonzalez, still on pre-trial release from his 2003 arrest, moved back to Miami. He continued to help the Secret Service, though he was now on salary with the agency earning $75,000 a year.
Simultaneous to his government crime-fighting work, however, he adopted a new nick, “segvec,” and resumed his criminal activity under the noses of the agents who were paying him, ramping up his activities to a level that far exceeded any crimes he’d committed before his arrest, or any staged by the Operation Firewall defendants.

Authorities, who had no idea the “segvec” they were furiously chasing for more than a year was their salaried informant, finally figured it out and nabbed Gonzalez in May 2008. A few months later, during interrogations, he directed authorities to a stash of $1.1 million in cash that he’d buried in a barrel in the backyard of his parents’ home.

In addition to this cash, the government has seized Gonzalez’s Miami condo, a 2006 BMW, a Glock 27 firearm, a currency counter, a Tiffany diamond ring given to his former fiance and three Rolex watches that Gonzalez gave to his father and others as gifts.

Gonzalez’s sentencing this week follows two others related to the TJX hacks. Last December, Stephen Watt, a former coder for Morgan Stanley, was sentenced to two years in prison for providing the sniffer that Gonzalez used in the TJX hack. Watt was also ordered to pay restitution to TJX, jointly with other accomplices, in the amount of $171.5 million.
Earlier this month, Humza Zaman, a former network security manager at Barclays Bank, was sentenced to 46 months in prison and fined $75,000 for serving as a money courier for Gonzalez. He was charged with laundering between $600,000 and $800,000 for Gonzalez.

Gonzalez’s sentence is among the stiffest imposed for a financial crime, and the longest U.S. prison term in history for hacking. It beats out a sentence recently imposed on hacker Max Ray Vision, who received 13 years in prison for similar crimes.

On Friday, Gonzalez will be sentenced in another case involving breaches at Heartland Payment Systems — a New Jersey card-processing company — Hannaford Brothers supermarket chain, 7-Eleven and two national retailers that are unidentified in court documents. These hacks involved more than 130 million debit and credit card numbers. He faces a likely sentence of between 17 and 25 years in that case.
Under the plea agreements, the sentences will be served concurrently.