Heartland Hacker Sentenced to 20 YearsExperts: Sentences Not Likely to Deter Hackers
This sentence, to be served concurrently with the 20-year sentence Gonzalez received on March 25 for his role in the TJX breach and similar crimes, was handed down in Boston by federal judge David Woodlock. In addition to the Heartland crime, Gonzalez was implicated in breaches at Hannaford Brothers, a grocery store chain in the northeast, and the 7-Eleven, convenience store chain.
Gonzalez, 28, of Miami, a former law enforcement informant, pled guilty to breaking into the computer networks of major retailers and the payment processor Heartland. The Heartland hack alone is estimated to have impacted 130 million credit and debit cards. His crimes cost companies, banks, and insurers nearly $200 million, says the Department of Justice. His sentence is the longest ever meted out for computer crime in a U.S. court.
During his crime spree from 2003 to 2008, Gonzalez collected a small fortune of $2.8 million, which he used to buy an apartment in Miami, a car, Rolex watches and a Tiffany ring for his girlfriend. After Gonzalez' arrest, federal investigators found more than $1 million in cash buried in a barrel in his parent's backyard in Florida.
A Message to Other Hackers?
Are the Gonzalez sentences a strong message to other criminals?
David Navetta, a lawyer specializing in information security law says the message is: If hackers get caught, there is potentially a huge penalty to pay. "However, the 'if' is the key here," Navetta says. "Unfortunately cybercrimes are often committed from very remote locations all over the world, and the criminals try very hard to cover their tracks. Cybercrime is a relatively low risk (of getting caught) and high reward crime."
Criminals know that law enforcement investigations are expensive, resource intensive and time consuming, "and they like their odds in that regard."
William Taylor, a former criminal prosecutor now at Cyopsis, a security forensics firm, fears that this message is probably not received by its intended audience. "Hackers like Gonzalez believe that they are smarter than the authorities are, are able to evade detection and capture, and likely underestimate the likelihood that they will be apprehended," Taylor says. " ... Acting as a government informant demonstrates the disdain he had for his government handlers."
Gartner analyst Avivah Litan is unsure how much of a deterrent the Gonzalez sentences will be. "Smart criminals will take this as a lesson in scale, so they'll try to stay under the radar and not get carried away with these grand, massive attacks," she says.
Hackers likely will shift toward more small-scale and targeted attacks in a distributed hacking environment - rather than a few massive attacks against very large targets.
"The genie is already out of the bottle," Litan says, "and cybercrime is here to stay."