The mastermind behind some of the most high-profile data breaches in recent history was sentenced on March 25 to 20 years in prison.
Albert Gonzalez, 28, pleaded guilty in 2009 to charges in Massachusetts, New York and New Jersey and faced as many as 25 years behind bars for hacking several major retailers, including BJ’s Wholesale Club, TJX Companies and OfficeMax. Gonzalez still faces sentencing tomorrow for involvement in a slew of other breaches, including the compromise of millions of credit cards in the Heartland Payment Systems breach.
The sentence is the longest ever imposed in a hacking or identity theft case. Gonzalez’s lawyer reportedly argued for leniency, stating that Gonzalez exhibited behavior consistent with Asperger’s Syndrome. Prosecutors meanwhile sought a 25-year sentence on the grounds that Gonzalez’s crew “shook a portion of our financial system” and a stiff sentence would serve as a deterrent.
The Gonzalez cases helped invigorate discussions about compliance with PCI DSS (the Payment Card Industry Data Security Standard) and the fact that annual compliance audits are only snapshots in time, not the be-all and end-all of security.
“PCI remains the most successful cyber-security mandate today, but as we all know, achieving compliance doesn’t always mean achieving security,” said Amichai Shulman, CTO of Imperva. “The Gonzalez attacks are a case in point. Companies should look to the PCI council to help them better define and implement policies and technologies that protect sensitive data, and should always strive to improve and enhance their data security practices to meet or exceed industry standards.”
Michael Maloof, CTO of TriGeo Network Security, was optimistic the sentence would send a clear message to cyber-criminals.
“If you use a computer to steal or provide tools that encourage others to steal, you will go to jail-hopefully, for a very, very long time,” Maloof said.