Hacker gets 20 years for stealing millions of credit card numbers from TJX, BJ’s Wholesale

Hacker gets 20 years for stealing credit card data

BOSTON — A computer hacker from Miami who orchestrated one of the largest theft of credit and debit card numbers in U.S. history was sentenced Thursday to 20 years in prison after he apologized for leading a scheme that cost companies, banks and insurers nearly $200 million.

Albert Gonzalez, a one-time federal informant, pleaded guilty last year to breaking into the computer networks of major retailers, including TJX Cos., BJ’s Wholesale Club, Barnes & Noble, OfficeMax, and the restaurant chain Dave & Buster’s.

U.S. District Judge Patti Saris sentenced Gonzalez to the middle of the 15- to 25-year range spelled out in a plea agreement Gonzalez reached with prosecutors.

Just before he was sentenced, the 28-year-old Gonzalez apologized as his mother, father and sister watched from the front row of the courtroom. His father wept softly and dabbed his eyes with a handkerchief.

Gonzalez said he did it not out of greed, but instead “because of my inability to stop my pursuit” and “my (Internet) addiction.”

“I blame nobody but myself,” he said.

He said he did not give much thought to people whose credit and debit card numbers were stolen. “I always thought that they were being made whole by their financial institutions,” he said.

Authorities said Gonzalez amassing $2.8 million he used to buy a Miami condo, a car, Rolex watches and a Tiffany ring for his girlfriend. They said Gonzalez and two foreign co-defendants would drive past retailers with a laptop computer, tapping into those with vulnerable wireless Internet signals. The trio would then install “sniffer programs” that picked off credit and debit card numbers as they moved through a retailer’s computers before trying to sell the numbers overseas, authorities said.

Gonzalez, who was known online as “soupnazi,” was a self-taught computer genius.

He was first arrested for hacking in 2003, but was not charged because he became an informant, helping the Secret Service find other hackers. But authorities said that over the next five years, he hacked into the computer systems of Fortune 500 companies even while providing assistance to the government.

Assistant U.S. Attorney Stephen Heymann said Gonzalez led a group of professional hackers and identity thieves in three states, Ukraine and Russia. He said the group made money by selling numbers on the black market and by going to ATMs and taking “bundles of money” out of accounts.

Prosecutors estimate the group stole tens of millions of debit and credit card numbers, costing corporations and banks millions when they were forced to cancel accounts, open new accounts, monitor accounts for fraud, beef up their network security and invest in public relations to ensure they wouldn’t lose customers. Authorities found more than 40 million distinct card numbers on two of Gonzalez’s computer servers.

Prosecutors asked for the maximum, 25-year sentence under the plea deal, while Gonzalez’s attorney, Martin Weinberg, asked for the low end of 15 years.

Weinberg said Gonzalez has “gained an understanding of the harm he’s done” during the 22 months he’s spent in jail since his arrest in May 2008, and has “genuine and deep remorse.”

“He recognizes what he did was wrong,” Weinberg said.

Weinberg also cited a report from a defense psychiatrist who said Gonzalez showed behavior consistent with Asperger’s syndrome, a form of autism, and Internet addiction. He said that for Gonzalez, a computer “is like a drug.”

Saris sentenced Gonzalez to two 20-year terms — to run concurrently — one for a Massachusetts case that included the theft from Framingham-based TJX Cos., OfficeMax and other stores, and the other from a New York case that included Dave & Buster’s.

Gonzalez is scheduled to be sentenced Friday by a different judge in Boston in a New Jersey case involving the theft of card numbers from the Scarsborough, Maine-based Hannaford Bros. supermarket chain, 7-Eleven and Heartland.

Saris also sentenced Gonzalez to three years of supervised release after he completes his prison term. During those three years, he cannot have any access to computers, Saris said.

The judge set a separate hearing for June 25 to determine the amount of restitution Gonzalez will be ordered to pay, although the judge acknowledged that Gonzalez will not likely be able to pay the large amount she is expected to order.

Under the plea deals, Gonzalez must forfeit more than $2.7 million of the $2.8 million that authorities say he stole. He also must give up his condo, car, a Tiffany ring that he gave to his girlfriend and Rolex watches he gave to his father and friends.