Hacker tied to massive retail credit card theft pleads guilty in Mass. to 3rd criminal case

By Bob Salsberg, AP
Tuesday, December 29, 2009

Hacker pleads guilty in Mass. to fraud case

BOSTON — A computer hacker who helped orchestrate the theft of tens of millions of credit and debit card numbers from major retailers in one of the largest such thefts in U.S. history pleaded guilty Tuesday in the last of three cases brought by federal prosecutors.

Albert Gonzalez, a one-time federal informant from Miami, faces a prison sentence of up to 25 years under the terms of separate plea agreements. He is tentatively scheduled for sentencing in March.

“This is a young kid who did some reckless things and he’s going to pay a price for it,” said Gonzalez’s attorney, Martin Weinberg, after his 28-year-old client calmly answered guilty to charges of conspiracy and wire fraud.

Weinberg said Gonzalez was remorseful and that he would ask two federal judges hearing the cases to sentence Gonzalez to the lower end of the 17- to 25-year sentencing range spelled out in the plea agreements.

Tuesday’s plea stemmed from a case that was originally brought by federal prosecutors in New Jersey, but later transferred to Boston. It charged Gonzalez with conspiracy to gain unauthorized access to computer servers at Hannaford Brothers Inc., a Maine-based supermarket chain; convenience store giant 7-Eleven Inc.; Heartland Payment Systems Inc., a New Jersey-based processor of credit and debit cards; and two unnamed companies.

Gonzalez pleaded guilty in September in two other cases that were combined in Boston. Those cases included charges that he hacked into the computers of prominent retailers such as TJX Cos., BJ’s Wholesale Club, OfficeMax, BostonMarket, Barnes & Noble and Sports Authority.

Under questioning Tuesday by U.S. District Court Judge Douglas Woodlock, Gonzalez indicated that he had used alcohol and a number of drugs, including marijuana, cocaine and LSD, prior to his arrest in May 2008.

Federal prosecutors have agreed to seek concurrent sentences in the cases, meaning that Gonzalez would serve no more than 25 years in prison. Weinberg, however, said he would argue for a lesser sentence based on factors including the prior drug abuse and a psychiatrist’s report that Gonzalez exhibits behavior consistent with Asperger’s syndrome, a form of autism.

The defense-commissioned report by Dr. Barry Roth described Gonzalez as an Internet addict with an “idiot-Savant-like genius for computers and information technology,” but socially awkward.

“His personal life has been characterized most of all by awkwardness, impairment, troubles connecting to people, with an overarching preference and predilection to machines and technology,” Roth wrote.

Authorities said Gonzalez, who said he had worked as a computer security consultant, was the ringleader of a group that targeted large retailers.

In 2003, Gonzalez was arrested for hacking but was not charged because he became an informant, helping the Secret Service find other hackers. But authorities said he continued to use his talents for illegal activities.

Over the next five years, he hacked into the computer systems of retailers even while providing assistance to the government.

He lived lavishly during that time. Authorities said he amassed $2.8 million and bought a Miami condo and a BMW. Under the plea deals, Gonzalez must forfeit more than $2.7 million, plus his condo, car, a Tiffany ring he gave to his girlfriend and Rolex watches he gave to his father and friends.

Before accepting the plea Tuesday, Woodlock heard Assistant U.S. Attorney Stephen Heymann outline the sophisticated hacking scheme, which also involved an individual identified only as “P.T.” and two individuals identified in the indictment as Hacker 1 and Hacker 2. Heymann said they remain fugitives.

Gonzalez identified potential corporate victims by poring through lists of Fortune 500 companies and by going to retail stores to probe for potential vulnerabilities, Heymann said.

“It was foreseeable to defendant Gonzalez that the losses resulting from unauthorized access into the servers of the corporate victims identified in the indictment would exceed $20 million,” Heymann said.

will not be displayed