Albert Gonzalez has been sentenced to 20 years in prison for his part in the hacking of more than 90 million credit and debit card numbers from TJ Maxx and other retailers.
Gonzalez, who was arrested last summer, and confessed to helping lead a ring that broke into the retailers, said that he buried $1 million cash in the garden of his parents' home and that his crimes got out of control ‘because of my inability to stop my pursuit of curiosity and addiction', according to Reuters.
Gonzalez's prison term could be extended today as another judge will sentence him on charges of stealing tens of millions more payment card numbers from companies including payment card processor Heartland Payment Systems, 7-Eleven and the Hannaford chain of New England grocery stores.
Mark Rasch, former head of the computer crimes unit at the US Department of Justice, said that it was the harshest sentence ever handed down for a computer crime in an American court.
Assistant US attorney Stephen Heymann said that Gonzalez and his co-conspirators had caused some $200 million in damages to those businesses, and that it was not possible to quantify how much money was stolen from individuals.
Heymann said: “He shook a portion of our financial system. What matters most is that teenagers and young adults not look up to Albert Gonzalez. They need to know that they will be caught. That they will be punished and that the punishment will be severe.”
Under his plea agreement, Gonzalez had faced up to 25 years in prison, but asked the judge for leniency in sentencing, saying he had been addicted to computers since childhood, had abused alcohol and illegal drugs for years and suffered from symptoms of Asperger's disorder.
Amichai Shulman, CTO of Imperva, said: “The lesson to draw from today's sentencing is simple: enterprises are fighting today's cyber war with yesterday's technology. Hackers continue to put up a persistent and very real threat to enterprise systems. The current data security spend is focused on enterprise networks, yet the Gonzalez attacks took distinct advantage of weaknesses in the database and applications. And this is an industry-wide problem.
“Today's sentencing will hopefully act as a deterrent to cyber crime in the US. However, the threat to enterprises from hackers like Gonzalez remains persistent.”
Graham Cluley, senior technology consultant at Sophos, said: “Twenty years is a breathtaking sentence for anyone to receive but it is particularly unusual for a computer crime.
“What's fascinating about this story is that Gonzalez was actually working for the US Secret Service when they became aware of his involvement in the 2007 hack. Clearly security measures need to be strengthened to avoid this ‘double agent' effect happening again.”
Update - Gonzalez was given a sentence of 20 years and one day for his part in the hacking of Heartland Payment Systems, 7-Eleven, and other companies. The sentence will run concurrently with his previous sentence.
For more information on data breaches, and how to avoid them, listen to the SC webcast with Larry Ponemon, chairman and founder of the Ponemon Institute on Tuesday 30th March.