Gonzalez, 28, of Miami, was sentenced to 20 years in prison for leading a group of cybercriminals that stole tens of millions of credit and debit card numbers from TJX and several other retailers.
Gonzalez pleaded guilty in September to multiple federal charges of conspiracy, computer fraud, access device fraud and identity theft for hacking into TJX, which owns T.J. Maxx, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble and Sports Authority. He was facing up to 25 years in prison for these charges.
Gonzalez also pleaded guilty last year in two other pending hacking cases for which he is scheduled to be sentenced on Friday. He faces up to 20 years in prison for his role in hacking into the network of Dave & Buster's restaurant chain and stealing credit and debit card numbers from at least 11 locations.
As part of a third pending case, Gonzalez faces between 17 and 25 years in prison for hacking into the payment card networks of Heartland, 7-Eleven and Hannaford Bros. supermarket chain to steal more than 130 million credit and debit card numbers. In a plea deal, his sentences will run concurrently to each other.
The former record-high hacking sentence of 13 years in prison was handed down just last month to a San Francisco man named Max Ray Butler, who was convicted of hacking into financial institutions and then hawking the stolen data in an online forum.
This is the third conviction to be handed down this week to individuals involved in the TJX hack. On Tuesday, one of Gonzalez' co-conspirators, Jeremy Jethro, 29, was sentenced to six months home confinement and three years of probation for providing Gonzalez with a zero-day exploit to take advantage of a then-unknown vulnerability in Microsoft's Internet Explorer browser.
In addition, Humza Zaman, formerly a programmer at Barclays Bank, was sentenced earlier this month to 46 months in prison and fined $75,000 for laundering at least $600,000 in identity theft proceeds for Gonzalez. Also, in December, Stephen Watt, 25, of New York was sentenced to two years in prison and ordered to pay $171.5 million in restitution for providing Gonzalez with the "sniffer" program that was used to hijack credit card numbers from TJX.
The security community reacted swiftly to the Gonzalez sentencing.
“The Gonzalez sentence sends a clear message to career criminals and organized crime outfits,” Michael Maloof, CTO at information security management firm TriGeo Network Security, said in a statement sent to SCMagazineUS.com on Thursday. “If you use a computer to steal or provide tools that encourage others to steal, you will go to jail – hopefully for a very, very long time.”
Frank Kenney, VP global strategy at managed file transfer solutions vendor Ipswitch File Transfer, also said Gonzalez' sentence could serve as a deterrent to others.
“Raising the bar with sentences like the Gonzalez case may detract future hackers,” he said.