Threat Management, Vulnerability Management

TJX ringleader pleads guilty

One of the leaders of an international ring of credit card thieves on Friday pleaded guilty to multiple federal charges, including conspiracy, computer fraud, access device fraud and identity theft.

Albert Gonzalez, 28, of Miami, was part of a group that hacked into TJX, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble and Sports Authority, according to the U.S. Department of Justice (DoJ). Gonzalez had been indicted in August 2008 in Massachusetts on charges related to the hacks.

Gonzalez and his co-conspirators were able to steal more than 40 million credit and debit card numbers from retailers by breaking retail credit card payment systems through a series of sophisticated techniques, including "wardriving" and installation of sniffer programs, according to the DoJ. 

The gang sold the numbers and raided ATMs using the stolen data, often withdrawing tens of thousands of dollars at a time, according to the DoJ. They hid their activity by using internet-based currencies and channeling funds through bank accounts in Eastern Europe.

"Technology has forever changed the way we do business, virtually erasing geographic boundaries," U.S. Secret Service Director Mark Sullivan said in a statement. "However, this case demonstrates that even in the cyber world, there is no such thing as anonymity."

Even with the success of this operation, it is unlikely to forestall much criminal activity on the internet, experts said.

“They definitely got a big guy here,” Avivah Litan, vice president and distinguished analyst at Gartner, told Monday. “But there are a lot more to fill his tracks. It should be a deterrent for future criminals, but it probably won't be.”

Criminals are tending to launch more under-the-radar attacks, instead of big breaches garnering tens of millions of records, Litan said. Criminals now frequently target business bank accounts that cash managers handle on behalf of small companies, county governments and other organizations by planting trojans on user desktops to steal account credentials.

“They‘ve set their sights on small business cash accounts at banks and launch lots of small attacks, instead of one big attack,” Litan said.

Gonzalez will be sentenced Dec. 8. He faces up to 25 years in prison. He also agreed to forfeit more than $2.7 million, along with a condo in Miami, a 2006 BMW 330i, a Tiffany diamond ring and several Rolex watches, according to the DoJ. The forfeited cash includes more than $1 million Gonzalez had buried in his backyard.

Gonzalez's attorney, Rene Palomino, couldn't be reached Monday for comment.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.