Forgot your password?
typodupeerror
Crime Security The Courts Your Rights Online

20 Years For Gonzalez In TJX Hacker Case 94

Posted by Soulskill
from the see-you-when-we-have-flying-cars dept.
alphadogg writes "Hacker mastermind Albert Gonzalez was sentenced Thursday in US District Court to two concurrent 20-year stints in prison for his role in what prosecutors called the 'unparalleled' theft of millions of credit card numbers from major US retailers. US District Court Judge Patti B. Saris announced the concurrent sentences in two 2008 cases against Gonzalez, 28, a Cuban-American who was born in Miami, where he lived when the crimes were committed. Gonzalez and co-conspirators hacked into computer systems and stole credit card information from TJX, Office Max, DSW and Dave and Buster's, among other online retail outlets, in one of the largest — if not the largest — cybercrime operations targeting that sort of data thus far. They then sold the numbers to other criminals. Gonzalez pleaded guilty to conspiracy charges in two cases related to those thefts last December and the following day entered a guilty plea in a third case involving hacking into computer networks of Heartland Payment Systems and the Hannaford Supermarkets and 7-Eleven chains."
This discussion has been archived. No new comments can be posted.

20 Years For Gonzalez In TJX Hacker Case

Comments Filter:
  • by smooth wombat (796938) on Friday March 26, 2010 @08:51AM (#31624704) Homepage Journal

    I misread the first line as "Alberto Gonzalez".

    One can still dream though.

    • Re: (Score:1, Offtopic)

      OT but I'll try to paraphrase a really obscene exchange of Alberto's perjured Senate testimony. This is where they gave him a week to "correct himself":

      Schumer: "So, you're saying this information was publicly available even though there is no evidence of what you're saying."
      Fredo: "Yes, I told a reporter."
      Schumer: "Oh! You did! Which reporter did you tell at which outlet?"
      Fredo: "Um, it wasn't really me, it was someone who worked for me."
      Schumer: "Oh! So who did you tell in your staff to alert the media

  • by Anonymous Coward

    You'll get less for murder.

    • by CSHARP123 (904951)
      In today's world, if your identity is compromised like this, people will go bankrupt very easily. That in majority of cases bring peoples life to stand still. They have to go through hell to fix the problem. He deserves what he got. Let him rot in jail.
    • by OzPeter (195038)

      You'll get less for murder.

      OT sort of. This last week there was a guy in VA who was sentenced in an online pedophile chat room incident. It was the usual police sting where the guy *thought* he was chatting to a teenage girl, but never actually did. His sentence .. 100 years. My first thought was that it just made abducting and murdering teenage girls less risky than thinking you were chatting with them online

      • by omarius (52253)

        Um, I'm fairly sure that in VA the penalty for what you describe is death. I suppose it's debatable whether that's preferable to 100 years in prison.

    • by CohibaVancouver (864662) on Friday March 26, 2010 @11:14AM (#31626720)

      You'll get less for murder.

      Most murders are committed in the heat of passion by mentally unbalanced people. This guy rationally and knowingly RUINED many people's lives. He can rot in prison for all I care.

      • by couchslug (175151)

        The nature of his crime means he can easily repeat it if released. The solution is not to release him.

      • So why are the floor traders at enron and most of wallstreet still walking around in public? They knowingly RUINED the lives of hundreds of thousands of people, not just "many".
  • I wonder whether Albert Gonzalez ever self-identified as "Cuban-American" or whether the Fourteenth Amendment was repealed.
  • So (Score:3, Interesting)

    by zoomshorts (137587) on Friday March 26, 2010 @09:03AM (#31624818)

    "Heartland claimed that no merchant data, cardholder's Social Security numbers, or unencrypted personal identification numbers (PIN), addresses or telephone numbers were compromised. "

    So where is the crime if nothing was compromised?

    • Re:So (Score:5, Informative)

      by YrWrstNtmr (564987) on Friday March 26, 2010 @09:09AM (#31624900)
      So where is the crime if nothing was compromised?

      I know reading the link is frowned upon in here, but the actual credit card numbers were lifted. Plus (FTA), "It also appears that those behind the breach "made off with the gold" by intercepting and stealing the so-called Track 2 data from the magnetic stripe on the back of cards, which is all that's needed to create counterfeit cards"
    • The crime is that he did something that is blatantly illegal. He illegally breeched that companies systems. The consequences of people's actions aren't so simple. There may be no 'visible' harm, but you don't hear the story of their IT staff having to work overtime to resolve that breech and the money that company spent to do it. You can justify it by saying the man was helping further their security by showing them a weakness, but that justification fails when he did it to take advantage of them.
    • by Smallpond (221300)

      Gonzalez is evidently charged with not only the Heartland case, but also the TJX break-in from 2007.

  • What's the logic behind concurrent sentences. 2 concurrent 20 year sentences is for all intents and purposes the same as one 20 year sentence. SO he basically got away with one of the crimes with no punishment. If its because 40 years for these 2 crimes is too harsh, then logically 20 years is too harsh for 1 and the law needs to be changed. Can someone explain the logic to me

  • Hacker mastermind Albert Gonzalez was sentenced Thursday in US District Court to two concurrent 20-year stints in prison for his role in what prosecutors called the 'unparalleled' theft of millions of credit card numbers from major US retailers.

    If I was Albert Gonzalez, I would have asked for 480 concurrent 1-month sentences instead. Then when the judge finalized the sentence, I'd show him the definition of the word "concurrent".

    • by Smallpond (221300)

      Hacker mastermind Albert Gonzalez was sentenced Thursday in US District Court to two concurrent 20-year stints in prison for his role in what prosecutors called the 'unparalleled' theft of millions of credit card numbers from major US retailers.

      If I was Albert Gonzalez, I would have asked for 480 concurrent 1-month sentences instead. Then when the judge finalized the sentence, I'd show him the definition of the word "concurrent".

      Then the crime wouldn't be 'unparalleled', would it? Besides, the judge could just add a mutex to each sentence so they end up being sequential anyway.

  • TJX Case (Score:5, Insightful)

    by Virtucon (127420) on Friday March 26, 2010 @09:11AM (#31624934)

    What's missing here is the fact that TJX didn't take reasonable precautions to protect the data.

    They already coughed up $41m to Visa and the FTC received a chunk of change from them as well.

    The only way these kinds of thefts will be stopped is if these companies get serious about protecting Credit Card and Personal information. While PCI goes a long way in trying to address the Credit Card side of things, the Personal Information problem is still looming. We need tougher laws that make companies who gather sensitive information, SSNs etc. fully accountable when theft of the data in their possession occurs.

    All in all, I still bet this guy has about $10m buried someplace but still 20 years of your life is a very stiff sentence considering a plea bargain as well.

    • Re:TJX Case (Score:5, Informative)

      by coolmoose25 (1057210) on Friday March 26, 2010 @09:25AM (#31625052)
      I think the reason he got a stiff sentence (midway between the 15-25 sentencing guideline) was that he got caught TWICE for the same crime. After getting caught the first time, he turned informant, even collecting a $75k salary from the Feds. Meanwhile, he went back to his fraudulent activities and started working an even bigger crime than the one he was originally busted for, and under the Feds noses at that... Fool me once, shame on you. Fool me twice and I'll throw the book at you.
    • Re: (Score:3, Insightful)

      by Aldenissin (976329)

      I second this! TJX used default passwords and several other bad practices and kept on once they knew they had a problem. Had they taken the public's data security seriously, this guy would likely never had been able to do what he did here.

      When you can sit outside and type Username: (Name of manager inside) and Password: admin, wirelessly and then get credit card data from the registers which is not supposed to be stored, then yes it is YOUR fault that this happened as well. Especially when th

      • by russotto (537200)

        I second this! TJX used default passwords and several other bad practices and kept on once they knew they had a problem. Had they taken the public's data security seriously, this guy would likely never had been able to do what he did here.

        Usually when this argument is raised it's when someone just used a default password, looked around the system, maybe even informed the operator, and got prosecuted for it. That isn't the case here... doesn't matter if the door's ajar, that's still not an excuse for going

    • by Jawn98685 (687784)
      Disclosure: I was one of the victims of this breach. Happily, my bank caught it and called to ask if it was really me who'd bought those gift cards at Wal-Mart.

      mod parent + insightful, for truer words were never spoken. Seriously, someone should have gone to jail for being so negligent with sensitive information like that, and no, it almost certainly was not anyone whose job it was to see to such things. It was, most likely, someone with budget control over that department who "...didn't see the value in
    • Re: (Score:3, Informative)

      by captaindomon (870655)
      TJX was not in compliance with PCI-DSS, even though they said they were. Thus the fines from Visa. PCI-DSS has issues of course, but if they followed it correctly they would not have suffered this intrusion.
      • by Virtucon (127420)

        Part of demonstrating compliance is the Audit Process. If TJX had an audit, the auditor at this point would be part of the problem and possibly subject to litigation and damages. The problem though is that the PCI-DSS fines didn't start kicking in until a couple of years ago, so TJX could have been working on PCI-DSS and not have completed there work.

        It's a tough problem, for example, When I was working for a large airline, we couldn't get around to upgrading their WLAN infrastructure to be PCI-DSS compli

    • by sjames (1099)

      PCI does nothing at all compared to what COULD be done using the technology we already have available.

      Consider if a credit card with a smart chip signed the transactions. Customer uses personal interface to authorize a charge. POS then presents a charge record complete with their merchant account number and if it is no more than authorized, the smart chip assigns it a serial number and signs it. Merchant presents the signed charge to CC company.

      At that point, it doesn't matter in the least if someone grabs

    • Re: (Score:3, Interesting)

      by fafaforza (248976)

      TJX may have not been in compliance with PCI, but if you left your house door unlocked to go to the corner store real quick, and someone ripped off your jewelty (or whatever you hold dear), you'd still want them punished. And even though you'd have laid some of the blame on yourself and learned a lesson, you'd still want the scumbag thief to face the music of committing the crime.

      • by Virtucon (127420)

        I think your analogy needs refinement.

        1) Neighbor Asks you to watch their kid.
        2) You agree, and watch them.
        3) then you go to the store and leave the front door open.
        4) You come back and the kid is gone.
        5) Your neighbor is pissed but you just shrug your shoulders
        6) Police give you a misdemeanor citation

        Yes you still want the kidnapper prosecuted but you had direct culpability in the loss of the child. You were supposed to look after them but you didn't, in some places that will wind you up in jail. But sin

    • What's missing here is the fact that TJX didn't take reasonable precautions to protect the data.

      Fully agreed. Until there's some serious liability for mis- and non-feasance when it comes to customer data, there's no incentive for these bozos to clean up their act.

      All in all, I still bet this guy has about $10m buried someplace but still 20 years of your life is a very stiff sentence considering a plea bargain as well.

      Here I'd disagree. This is being treated as a single offense, but it's actually an offense against millions of victims. If the sentence was proportionate to the offense, this guy would never see daylight again.

    • by gcatullus (810326)

      I agree that companies need to safeguard credit card data, but Visa/Mastercard doesn't even have something as simple as chip and pin for cards in the US.

      PCI is a broken system, in that the cartel reaping all the benefits has no risk and foists off the responsibility for protecting card data to the merchant processors who get practically nothing, and then down to the merchants who are PAYING for the privelege of taking credit cards. Visa/Mastercard could and should develop a more secure system, but they won'

  • "a Cuban-American who was born in Miami"

    meaning: he's an american. he's born here, right?

    so what's the fucking point of saying he's CUBAN-american? cuban-americans are more prone to cybercrime? what the hell is the significance of saying he's CUBAN-american. oh, a "real" american would never engage in cybercrime? what's that? an irish-american? an italian-american? when an irish-american robs a bank, do we say describe the crime, the sentencing and the criminal as "An Irish-American who was born in Philadel

    • Re: (Score:3, Insightful)

      by nycguy (892403)

      so what's the fucking point of saying he's CUBAN-american?

      Maybe the author didn't want you to think that Gonzalez is a MEXICAN-american...

      • who cares either way?

        if he's born here, he's an american. end of fucking story. his parents were mexican? they were cuban? they were polish? they were indian? what's the fucking difference?

        yes, i know, to SOME people the difference matters. and for those of you for whom identifying whether or not he's mexican or cuban is important, you're a racist asshole, EVEN IF you are the same ethnic background

    • I'm not Mexican yo! I'm Cuban, B.

      "Ah yes, Cuban B!"

    • Maybe he declared himself a Cuban American. In Miami, the Cuban population, whether born here or not, are relatively proud of their Cuban Heritage, and often refer to themselves as Cuban Americans. Being a Floridian, I'm accutely aware of the self imposed distinctions often made by those people who are of Cuban descent.

    • by SirGarlon (845873)

      I wish you could express outrage without resorting to the F-bomb, but yeah.

      --SirGarlon, a Polish-English-Dutch-American born in New York

    • Re: (Score:3, Insightful)

      by DerekLyons (302214)

      racist fucking bullshit

      Nah, its politically correct bullshit. The media has been bitten too often by failing to mention the $NONAMERICAN identifier that many American's think of themselves as, that they now do it reflexively.

      In the local paper's websites comment section - I've seen the $NONAMERICAN's bitch and moan and try to have it both ways. If the paper mentions a $NONAMERICAN was drunk and caused an accident, they bitch (as you do) that the paper is racist for implying $NONAMERICAN's are drun

      • the issue is blind pride

        people are prideful about things they shouldn't be proudful of

        the only valid source of pride in this world is that you are an ethical HUMAN BEING

        but if you are proud of being an {INSERT RACIAL/ NATIONALISTIC/ RELIGIOUS CHAUVINIST IDENTIFIER} you begin the process of talking about "us" versus "them", and, in your blind silly pride, actually wind up being the source of pretty much all the problems we have in this world

        its getting better, very slowly but surely. someday, in the distant

    • Re: (Score:3, Insightful)

      by mapkinase (958129)

      It's racist only if you say African-American or Jewish.

    • by master_p (608214)

      It's just like calling someone Afro-American, although he or she might have never been or linked to Africa in any way.

    • so what's the fucking point of saying he's CUBAN-american?

      It's not racism - it's an allusion to his cigar-rolling skills!

  • Don't give him 2 20-year concurrent sentences.

    Give him a misdemeanor sentence of several hours per victim, stacked, then throw in a couple of felony charges with concurrent sentences so he'll have a felony record.

    It amounts to the same amount of time, but when someone looks at his rap sheet he'll see millions of convictions on his record.

    • Don't give him 2 20-year concurrent sentences.

      Give him a misdemeanor sentence of several hours per victim, stacked, then throw in a couple of felony charges with concurrent sentences so he'll have a felony record.

      It amounts to the same amount of time, but when someone looks at his rap sheet he'll see millions of convictions on his record.

      That means they'd have to try and convict him on millions of charges. The paperwork for that alone would kill the court system. Imagine having to read the ruling at the decision hearing. It'd take weeks.

  • "You get the max (sentance) for the minimum at TJ Maxx!"
  • Now, how are those financial investigations of Wall St coming along ?

  • Oh, wait. . .Deja vu.

  • Defense lawyers said he should get off because he was ill with Asperger's syndrome. That would be a "free get of jail card" for half of us here (at least me).
  • I have stated this for the past Twenty Years and I will reiterate this all over again. You cannot have a fair trial without a Jury of IT experts. Even the Judge cannot Judge properly if he is not an IT expert. How do you expect a fair trial? Well you just do not do you? it is fucking pathetic and a travesty when people on the Jury's expertise is Windows, Internet Explorer, MSN/Windows Live and cannot even secure their own systems that are full of frigging malware and spyware. Seriously I am furious, and I

You are in a maze of UUCP connections, all alike.

Working...