Man Pleads Guilty to Hacking Host of US Retailers, Faces Prison
An international computer hacker has pleaded guilty to multiple charges relating to hacking activity and credit card fraud, leading to 19 counts of conspiracy, computer fraud, wire fraud, access device fraud, and aggravated identity theft relating to hacks into major U.S. retailers including TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, and Sports Authority. Albert Gonzalez, 28, of Miami, was indicted in August 2008 in the District of Massachusetts on charges related to these hacks and has now pleaded guilty, according to U.S. Secret Service Director Mark Sullivan and prosecuting attorneys. More than 40 million credit and debit card numbers were stolen from numerous retailers as a result of the hacking activity, they said.
Gonzalez also pleaded guilty to one count of conspiracy to commit wire fraud relating to hacks into the Dave & Buster’s restaurant chain, which were the subject of a May 2008 indictment in the Eastern District of New York. The pleas in both cases were entered before U.S. District Court Judge Patti B. Saris in federal court in Boston.
"Consumers must be able to trust that the credit and debit cards they use every day in thousands of stores around the world are safe from unlawful access," said Assistant Attorney General Lanny A. Breuer of the Criminal Division. "Working together with U.S. Attorneys’ Offices around the country and with the invaluable support of law enforcement agencies, we will continue our efforts to identify and prosecute hacking and credit card fraud."
According to the indictments to which Gonzalez pleaded guilty, he and his co-conspirators broke into retail credit card payment systems through a series of sophisticated techniques, including "wardriving" and installation of sniffer programs to capture credit and debit card numbers used at these retail stores. Wardriving involves driving around in a car with a laptop computer looking for accessible wireless computer networks of retailers. Using these techniques, Gonzalez and his co-conspirators were able to steal more than 40 million credit and debit card numbers from retailers. Also according to the indictments, Gonzalez and his co-conspirators sold the numbers to others for their fraudulent use and engaged in ATM fraud by encoding the data on the magnetic stripes of blank cards and withdrawing tens of thousands of dollars at a time from ATMs. According to the indictments, Gonzalez and his co-conspirators concealed and laundered their fraud proceeds by using anonymous Internet-based currencies both within the United States and abroad, and by channeling funds through bank accounts in Eastern Europe.
"Technology has forever changed the way we do business, virtually erasing geographic boundaries," said Sullivan. "However, this case demonstrates that even in the cyber world, there is no such thing as anonymity. The Secret Service, in conjunction with its many law enforcement partners across the United States and around the world, continues to successfully combat these crimes by adapting our investigative methodologies. We realize our success in this investigation is due in part to the cooperation of these partners in more than a dozen international law enforcement agencies."
Based on the terms of the Boston plea agreement, Gonzalez faces a minimum of 15 years and a maximum of 25 years in prison. Based on the New York plea agreement, he faces up to 20 years in prison, which the parties have agreed should run concurrently. He also faces a fine of up to twice the pecuniary gain, twice the victims’ pecuniary loss or $250,000, whichever is greatest, per count for the Boston case and a maximum fine of $250,000 for the New York case. Gonzalez also agreed to an order of restitution for the loss suffered by his victims, and forfeiture of more than $2.7 million as well as multiple items of real estate and personal property, including a condo in Miami, a 2006 BMW 330i, a Tiffany diamond ring and Rolex watches. Included in the forfeited currency is more than $1 million in cash, which Gonzalez had buried in a container in his backyard. Sentencing is scheduled for Dec. 8, 2009.
Gonzalez remains under indictment for charges brought in August 2009 by the U.S. Attorney’s Office for the District of New Jersey of conspiring to hack into computer networks supporting major U.S. retail and financial organizations and steal credit and debit card numbers from those entities. Among the corporate victims named in that indictment are Heartland Payment Systems, a New Jersey-based card payment processor; 7-Eleven Inc., a Texas-based nationwide convenience store chain; and Hannaford Brothers Co. Inc., a Maine-based supermarket chain. Charges in that case remain pending. The Department of Justice notes that an indictment is merely an allegation and defendants are presumed innocent until and unless proven guilty in court. While Gonzalez has pleaded guilty to the Boston and New York charges, he has not pleaded guilty to charges pending in New Jersey and remains presumed innocent of those charges.