Gonzalez Sentence Is No Deterrent to Hackers, Security Expert Warns

The 20-year sentence imposed last week on Albert Gonzalez of Miami, the computer hacker who led the attack on Heartland Payment Systems, TJX Cos., and other major retailers, won't deter future data breaches, a security expert says. Gonzalez, leader of the largest hacking and identity-theft ring ever prosecuted by the U.S. government, on March 26 was sentenced in the U.S. District Court in New Jersey to 20 years and one day in prison for his role in a series of hacks into Heartland, a New Jersey-based payment processor; 7-Eleven, a Texas-based convenience store chain; and Hannaford Brothers, a Maine-based supermarket chain. He also was ordered to serve three years of supervised release following his prison term as well as pay a $25,000 fine. The sentence will run concurrently with a March 25 sentence imposed on Gonzalez by the U.S. District Court in Boston. In that case, a federal judge sentenced Gonzalez to 20 years in prison for his role in data breaches at TJX, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, and Sports Authority. He also was ordered to serve three years of supervised release following his prison term and to pay a $25,000 fine. Earlier this week, Christopher Scott of Miami also was sentenced by the federal judge in Boston to seven years in prison, followed by three years of supervised release for his role in those hacking attacks. While the sentences send a message that society won't tolerate cyber fraud, criminals simply will change their methods of attack, says Avivah Litan, senior analyst at Stamford, Conn.-based Gartner Research. Cybercriminals will focus on smaller, more widely distributed attacks, rather than the massive data breaches orchestrated by Gonzalez. Federal officials estimate that the breaches compromised data on 130 million debit and credit cards in the Heartland incident alone. “They'll think twice before they do something this big and visible,” Litan says. “The message may be just stay away from the 100 million record heists.” But cyber criminals find data breaches too lucrative and easy to pull off, she says, adding, “cybercrime is here to stay. It's not going to slow down.” Meanwhile, a government memorandum released for the March 26 sentencing of Gonzalez paints a picture of a man who repeatedly lied to and manipulated the federal courts, federal law enforcement, and his own family. During the time Gonzalez was purportedly assisting the Secret Service to investigate other hackers, he simultaneously used sensitive information gleaned from the Secret Service to help his co-conspirators escape detection, federal prosecutors say. In one instance, he warned co-conspirator Patrick Toey, who was selling blocks of stolen credit and debit card numbers for Gonzalez, to stay away from a Secret Service undercover Internet site. Gonzalez also laundered tens of thousands of dollars in currency through his parents' line of credit and “stashed another $1.1 million in a hole in their backyard,” prosecutors said. Gonzalez's lawyers unsuccessfully argued for a shorter term, saying their client has Asperger's syndrome, a form of autism, and an Internet addiction, and could not control his actions. Related court documents also reveal that JC Penney, long rumored to be a victim of one of Gonzalez's attacks, fought to bar official disclosure of the data breach. JC Penney unsuccessfully argued there was no evidence any card data were stolen and that disclosing its name would hurt the company's reputation and stock price. While the Secret Service presented information to JC Penney that its computer system was breached, there is no evidence as to whether payment card numbers were stolen, federal prosecutors said. But they objected to JC Penney's request, saying that “most people want to know when their debit or credit card numbers have been put at risk, not simply if, and after, they have clearly been stolen.” “Knowing that cardholders will be concerned whether their credit or debit card information is put at risk, if they know of it, provides an incentive to companies to invest in the protections that their customers would want,” the prosecutors said in the court filing.