Threat Management, Vulnerability Management

RSA Conference: Gonzalez may receive largest ever U.S. hacking sentence

U.S. Department of Justice (DoJ) officials are hoping that two weeks from now, hacker Albert Gonzalez will receive a record sentence for a computer intruder.

Gonzalez, currently being held in Boston in the custody of the U.S. Marshals Service, is the mastermind behind a group that hacked into the networks of retailers and card processors to steal more than 170 million payment card numbers. He is involved in three pending hacking cases for which he is scheduled to be sentenced on March 18 and 19.

For his hacking crimes, Gonzalez is likely to receive a record-breaking prison term, Howard Cox, assistant deputy chief, computer crime and intellectual property section of the Justice Department, said Thursday at the RSA Conference.

“Two weeks ago, [Max Ray] Butler, operating out of the Bay Area got 13 years in jail,” Cox said. “That is the single largest hacking sentence in the U.S. We might be able to beat it in a few weeks.”

Gonzalez faces up to 25 years in prison for stealing more than 40 million credit card numbers from TJX, which owns T.J. Maxx, Barnes & Noble, BJ's Wholesale Club, Boston Market, DSW, Forever 21, Office Max and Sports Authority. In addition, he faces up to 20 years in prison for his role in hacking into the network of Dave & Buster's restaurant chain and stealing credit and debit card numbers from at least 11 locations.

As part of a third pending case, Gonzalez faces between 17 and 25 years in prison for hacking into the payment card networks of Heartland, 7-Eleven and Hannaford Bros. supermarket chain to steal more than 130 million credit and debit card numbers. His sentences will run concurrently to each other.

During an RSA Conference session, Cox said it is common to believe that hackers will not be brought to justice or receive substantial sentences. That is a faulty way to think, he said.

“Working cooperatively, we can successfully convict these people and get significant jail sentences,” he said.

Kimberly Kiefer Peretti, senior counsel with the DoJ's computer crime and intellectual property section, who also spoke during the session, referred to another successful cybercriminal prosecution that occurred recently.

Stephen Watt, 25, of New York was sentenced in late December to two years in prison and three years of supervised release for his role in the TJX hack. Watt admitted to providing Albert Gonzalez with the "sniffer" program used to hijack credit card numbers from TJX and other merchants. He additionally was ordered to pay $171.5 million in restitution, according to the U.S. attorney's office in Boston.

Watt's sentence represented a significant milestone for law enforcement because his role in the crime apparently was not for profit, Kiefer Peretti said.

“We need to let the hacking culture out there know – even if you are hacking for fun you will spend some time behind bars,” she said.

Even with the recent successes, though, law enforcement agents face a mountain of challenges when trying to bring cybercriminals to justice, Kiefer Peretti said. Getting international cooperation, dealing with language barriers and overcoming the expense and time of investigations are some of the challenges they face.

“Our most formidable challenge is getting companies here to detect they have been compromised and to immediately report it,” she said. Successful hacking prosecutions can only happen when victimized companies work with law enforcement, Kiefer Peretti said.

“We are totally dependent on working with victim entities to face this challenge,” she said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.