Gonzalez sentenced for multimillion dollar credit card scam

Judge imposes two 20-year concurrent sentences

Hacker mastermind Albert Gonzalez was sentenced Thursday in U.S. District Court to two concurrent 20-year stints in prison for his role in what prosecutors called the "unparalleled" theft of millions of credit card numbers from major U.S. retailers.

U.S. District Court Judge Patti B. Saris announced the concurrent sentences in two 2008 cases against Gonzalez, 28, a Cuban-American, who was born in Miami, where he lived when the crimes were committed.

Gonzalez and co-conspirators hacked into computer systems and stole credit card information from TJX, Office Max, DSW and Dave and Buster's, among other online retail outlets, in one of the largest -- if not the largest -- cybercrime operations targeting that sort of data thus far. They then sold the numbers to other criminals. Gonzalez pleaded guilty to conspiracy charges in two cases related to those thefts last December and the following day entered a guilty plea in a third case involving hacking into computer networks of Heartland Payment Systems and the Hannaford Supermarkets and 7-Eleven chains. The Heartland hacking was particularly damaging because the company processes transactions for major credit and debit card companies Visa and American Express.

He is scheduled to be sentenced in the third case Friday in U.S. District Court for the District of Massachusetts. Gonzalez was indicted in New York, New Jersey and Massachusetts, with the cases eventually moved to the same federal court. Under terms of the plea deals, the U.S. Department of Justice agreed to seek sentences of no more than 25 concurrent years in prison in all three cases. After reviewing the cases following established sentencing guidelines that take into account various factors, including the effects of the crimes, the DOJ sought the maximum in two cases and 20 years in the other.

However, because the judge could decide to impose a lower sentence, defense attorney Martin Weinberg had argued that Gonzalez should be sentenced to 15 years for the two cases heard Thursday. While the government referred to the cases as "identity theft," they were instead thefts of data that did not involve stealing victims' identities to "invade their bank accounts, withdraw money, and ruin their credit," according to a court filing Monday in response to the DOJ's sentencing memorandum, which was filed last week.

Furthermore, Gonzalez "did not hack into government computer systems, he did not crash computer systems by spreading viruses or inundating them with spam, and he did not invade the privacy of individuals' computers to steal such data as passwords to compromise their financial life and invade their personal property," Weinberg wrote.

What's more, tens of millions of the stolen credit card accounts in the cases before Judge Saris Thursday "had expired and would therefore have no longer ... had credit limits at all," said the sentencing document.

The defense had further argued that Gonzalez was a substance-abusing, Internet addict with Asperger's syndrome -- a form of autism -- at the time of his crimes, so he should merit fewer years in prison. Also, one of the three unrelated cases cited by the DOJ in making its argument for longer sentences -- because there should be parity in sentencing similar crimes -- was much worse than what Gonzalez did, Weinberg said in the filing.

While noting that it sought sentences that would be "the longest ever imposed in an identity theft case and among the longest imposed for a financial crime," federal prosecutors said that sending Gonzalez to prison for that long is justified because he was "at the center of the largest and most costly series of identify thefts in the nation's history. He knowingly victimized a group of people whose population exceeded that of many major cities and some states -- certainly millions upon millions, perhaps tens of millions. He did so at the cost of hundreds of millions of dollars to businesses ranging from small banks and credit unions to Fortune 500 companies. And he did so while on pretrial release from an earlier federal case and while intentionally obstructing justice," the DOJ argued in its sentencing memorandum.

The full financial damage of the crimes committed by Gonzalez and his co-conspirators, who were in the U.S., Turkey and Russia, is difficult to assess. Weinberg argued in court filings that because Gonzalez and his cybercrime gang stole data that they then sold to others, the government's estimates far exceed the real total in damages, particularly given that many of the stolen credit and debit card numbers were expired.

The government countered that the potential for loss had to be taken into account, with the credit limits available on so many stolen numbers factored in. Additionally, in victim impact statements TJX said that the hacking cost it at least $171.5 million that has already been paid out or will be in the future, the DOJ noted. Heartland has said it lost almost $130 million. The company has agreed to multimillion dollar settlements with Visa and American Express for damages in the hacking thefts.

As for Gonzalez's mental health, a psychiatric evaluation performed for the prosecution countered an evaluation conducted for the defense, finding that while Gonzalez was indeed prone to abuse substances, that was no excuse for the crimes he committed, and that his role in the hacking suggests he does not have Asperger's, whose sufferers are not usually leaders. Furthermore, even if Gonzalez did spend enough time online to constitute Internet addiction, which is not a clinical diagnosis, the fact remains that he was engaged in cybercrime.

In perhaps the most bizarre and complicated twist, Gonzalez was "for a significant portion of the time ... (purportedly) assisting the Secret Service to investigate others," the DOJ said in its sentencing document, referring to a deal Gonzalez cut to avoid prison in a separate cybercrime case. "During this time, however, Gonzalez simultaneously was using sensitive investigative information he learned from the Secret Service to obstruct justice by ensuring that his co-conspirators escaped detection. ... Gonzalez even callously laundered tens of thousands of dollars in currency through his parents' line of credit, and stashed another $1.1 million in a hole in their backyard."

Gonzalez, who punctuated Internet messages with smiley faces when he was pleased to hear that the cybercrime ring was raking in huge sums of money selling stolen credit and debit card numbers, told one of the co-conspirators via ICQ that he wanted to make enough money to buy a yacht and retire from criminal activity. By the time he was arrested, Gonzalez had acquired a condominium in Miami, a 2006 BMW 330I, multiple computers, a Glock 27 gun and $1.65 million, all of which he forfeited as part of the plea agreement. That money was on top of more than $20,000 seized when he was arrested on May 7, 2008.

"Albert Gonzalez was motivated by ego, challenge and greed and was proud of the national attention his computer intrusions and data thefts drew," the DOJ said in its sentencing filing. "They drew that attention because they victimized more people than anyone had ever done before in this country, caused hundreds of millions of dollars in losses, and shook the public's trust in the security of credit and debit card transactions at some of the country's largest institutions.

"Gonzalez already has been given a second chance. He used that second chance not to straighten out his life, but to provide cover as committed ever more brash and destructive crimes."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags retailUSrussiaCredit card fraudTurkey

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Nancy Weil

IDG News Service
Show Comments


James Cook University - Master of Data Science Online Course

Learn more >


Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >



Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?