Gonzalez Pleads Guilty to Massive Retail Hacks

Albert Gonzalez pleaded guilty Sept. 11 to hacking into the systems of major U.S. retailers including TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble and Sports Authority. More than 40 million credit and debit card numbers were stolen as a result of the hacking activity.
Gonzalez also agreed to an order of restitution and forfeiture of more than $2.7 million as well as multiple items of real estate and personal property, including a condo in Miami, a 2006 BMW 330i, a Tiffany diamond ring and Rolex watches. Included in the forfeited currency is more than $1 million in cash, which Gonzalez had buried in a container in his backyard.
Gonzalez, 28, also pleaded guilty to one count of conspiracy to commit wire fraud relating to hacks into the Dave & Buster’s restaurant chain.

According to the Department of Justice, Gonzalez and his co-conspirators broke into retail credit card payment systems through a series of sophisticated techniques, including “wardriving” and the installation of sniffer programs to capture credit and debit card numbers used at the victims’ retail stores.

Wardriving involves driving around in a car with a laptop computer looking for accessible wireless computer networks of retailers. Also, Gonzalez and his co-conspirators sold the numbers to others for their fraudulent use and engaged in ATM fraud by encoding the data on the magnetic stripes of blank cards and withdrawing tens of thousands of dollars at a time from ATMs.

Based on the hacks that occurred in Massachusetts, Gonzalez faces a minimum of 15 years and a maximum of 25 years in prison. In a New York plea agreement, Gonzalez also faces up to 20 years in prison, which will run concurrently with the Massachusetts sentencing.

He also faces a fine of up to twice the financial gain from the crime, twice the victims’ financial loss or $250,000, whichever is greatest, per count for the Boston case and a maximum fine of $250,000 for the New York case.

Gonzalez remains under indictment for charges brought in August 2009 by the U.S. Attorney’s Office for the District of New Jersey of conspiring to hack into computer networks supporting major U.S. retail and financial organizations and steal credit and debit card numbers from those entities.

Among the corporate victims named in that indictment are Heartland Payment Systems, a New Jersey-based card payment processor; 7-Eleven, a Texas-based nationwide convenience store chain; and Hannaford Brothers, a Maine-based supermarket chain.