Hacker mastermind Albert Gonzalez was sentenced Thursday in US District Court to two concurrent 20-year stints in prison for his role in what prosecutors called the "unparalleled" theft of millions of credit card numbers from major US retailers.
US District Court Judge Patti B Saris announced the concurrent sentences in two 2008 cases against Gonzalez, 28, a Cuban-American, who was born in Miami, where he lived when the crimes were committed.
Gonzalez and co-conspirators hacked into computer systems and stole credit card information from TJX, Office Max, DSW and Dave and Buster's, among other online retail outlets, in one of the largest — if not the largest — cybercrime operations targeting that sort of data thus far. They then sold the numbers to other criminals. Gonzalez pleaded guilty to conspiracy charges in two cases related to those thefts last December and the following day entered a guilty plea in a third case involving hacking into computer networks of Heartland Payment Systems and the Hannaford Supermarkets and 7-Eleven chains. The Heartland hacking was particularly damaging because the company processes transactions for major credit and debit card companies Visa and American Express.
He is scheduled to be sentenced in the third case Friday in US District Court for the District of Massachusetts. Gonzalez was indicted in New York, New Jersey and Massachusetts, with the cases eventually moved to the same federal court. Under terms of the plea deals, the US Department of Justice agreed to seek sentences of no more than 25 concurrent years in prison in all three cases. After reviewing the cases following established sentencing guidelines that take into account various factors, including the effects of the crimes, the DOJ sought the maximum in two cases and 20 years in the other.
However, because the judge could decide to impose a lower sentence, defense attorney Martin Weinberg had argued that Gonzalez should be sentenced to 15 years for the two cases heard on Thursday. While the government referred to the cases as "identity theft," they were instead thefts of data that did not involve stealing victims' identities to "invade their bank accounts, withdraw money, and ruin their credit", according to a court filing Monday in response to the DOJ's sentencing memorandum, which was filed last week.
Furthermore, Gonzalez "did not hack into government computer systems, he did not crash computer systems by spreading viruses or inundating them with spam, and he did not invade the privacy of individuals' computers to steal such data as passwords to compromise their financial life and invade their personal property," Weinberg wrote.
What's more, tens of millions of the stolen credit card accounts in the cases before Judge Saris Thursday "had expired and would therefore have no longer ... had credit limits at all," said the sentencing document.
The defense had further argued that Gonzalez was a substance-abusing, internet addict with Asperger's syndrome — a form of autism — at the time of his crimes, so he should merit fewer years in prison. Also, one of the three unrelated cases cited by the DOJ in making its argument for longer sentences — because there should be parity in sentencing similar crimes — was much worse than what Gonzalez did, Weinberg said in the filing.
While noting that it sought sentences that would be "the longest ever imposed in an identity theft case and among the longest imposed for a financial crime," federal prosecutors said that sending Gonzalez to prison for that long is justified because he was "at the centre of the largest and most costly series of identify thefts in the nation's history. He knowingly victimised a group of people whose population exceeded that of many major cities and some states — certainly millions upon millions, perhaps tens of millions. He did so at the cost of hundreds of millions of dollars to businesses ranging from small banks and credit unions to Fortune 500 companies. And he did so while on pretrial release from an earlier federal case and while intentionally obstructing justice," the DOJ argued in its sentencing memorandum.
The full financial damage of the crimes committed by Gonzalez and his co-conspirators, who were in the US, Turkey and Russia, is difficult to assess. Weinberg argued in court filings that because Gonzalez and his cybercrime gang stole data that they then sold to others, the government's estimates far exceed the real total in damages, particularly given that many of the stolen credit and debit card numbers were expired.
The government countered that the potential for loss had to be taken into account, with the credit limits available on so many stolen numbers factored in. Additionally, in victim impact statements TJX said that the hacking cost it at least $171.5 million that has already been paid out or will be in the future, the DOJ noted. Heartland has said it lost almost $130 million. The company has agreed to multimillion dollar settlements with Visa and American Express for damages in the hacking thefts.
As for Gonzalez's mental health, a psychiatric evaluation performed for the prosecution countered an evaluation conducted for the defence, finding that while Gonzalez was indeed prone to abuse substances, that was no excuse for the crimes he committed, and that his role in the hacking suggests he does not have Asperger's, whose sufferers are not usually leaders. Furthermore, even if Gonzalez did spend enough time online to constitute internet addiction, which is not a clinical diagnosis, the fact remains that he was engaged in cybercrime.
In perhaps the most bizarre and complicated twist, Gonzalez was "for a significant portion of the time ... (purportedly) assisting the Secret Service to investigate others," the DOJ said in its sentencing document, referring to a deal Gonzalez cut to avoid prison in a separate cybercrime case. "During this time, however, Gonzalez simultaneously was using sensitive investigative information he learned from the Secret Service to obstruct justice by ensuring that his co-conspirators escaped detection. ... Gonzalez even callously laundered tens of thousands of dollars in currency through his parents' line of credit, and stashed another $1.1 million in a hole in their backyard."
Gonzalez, who punctuated Internet messages with smiley faces when he was pleased to hear that the cybercrime ring was raking in huge sums of money selling stolen credit and debit card numbers, told one of the co-conspirators via ICQ that he wanted to make enough money to buy a yacht and retire from criminal activity. By the time he was arrested, Gonzalez had acquired a condominium in Miami, a 2006 BMW 330I, multiple computers, a Glock 27 gun and $1.65 million, all of which he forfeited as part of the plea agreement. That money was on top of more than $20,000 seized when he was arrested on May 7, 2008.
"Albert Gonzalez was motivated by ego, challenge and greed and was proud of the national attention his computer intrusions and data thefts drew," the DOJ said in its sentencing filing. "They drew that attention because they victimised more people than anyone had ever done before in this country, caused hundreds of millions of dollars in losses, and shook the public's trust in the security of credit and debit card transactions at some of the country's largest institutions.
"Gonzalez already has been given a second chance. He used that second chance not to straighten out his life, but to provide cover as committed ever more brash and destructive crimes."