Heartland Hacker Sentenced to 20 Years

Experts: Sentences Not Likely to Deter Hackers
Heartland Hacker Sentenced to 20 Years
For his role in the Heartland Payment Systems data breach, convicted hacker Albert Gonzalez on Friday received a second 20-year prison sentence.

This sentence, to be served concurrently with the 20-year sentence Gonzalez received on March 25 for his role in the TJX breach and similar crimes, was handed down in Boston by federal judge David Woodlock. In addition to the Heartland crime, Gonzalez was implicated in breaches at Hannaford Brothers, a grocery store chain in the northeast, and the 7-Eleven, convenience store chain.

Gonzalez, 28, of Miami, a former law enforcement informant, pled guilty to breaking into the computer networks of major retailers and the payment processor Heartland. The Heartland hack alone is estimated to have impacted 130 million credit and debit cards. His crimes cost companies, banks, and insurers nearly $200 million, says the Department of Justice. His sentence is the longest ever meted out for computer crime in a U.S. court.

During his crime spree from 2003 to 2008, Gonzalez collected a small fortune of $2.8 million, which he used to buy an apartment in Miami, a car, Rolex watches and a Tiffany ring for his girlfriend. After Gonzalez' arrest, federal investigators found more than $1 million in cash buried in a barrel in his parent's backyard in Florida.

A Message to Other Hackers?

Are the Gonzalez sentences a strong message to other criminals?

David Navetta, a lawyer specializing in information security law says the message is: If hackers get caught, there is potentially a huge penalty to pay. "However, the 'if' is the key here," Navetta says. "Unfortunately cybercrimes are often committed from very remote locations all over the world, and the criminals try very hard to cover their tracks. Cybercrime is a relatively low risk (of getting caught) and high reward crime."

Criminals know that law enforcement investigations are expensive, resource intensive and time consuming, "and they like their odds in that regard."

William Taylor, a former criminal prosecutor now at Cyopsis, a security forensics firm, fears that this message is probably not received by its intended audience. "Hackers like Gonzalez believe that they are smarter than the authorities are, are able to evade detection and capture, and likely underestimate the likelihood that they will be apprehended," Taylor says. " ... Acting as a government informant demonstrates the disdain he had for his government handlers."

Gartner analyst Avivah Litan is unsure how much of a deterrent the Gonzalez sentences will be. "Smart criminals will take this as a lesson in scale, so they'll try to stay under the radar and not get carried away with these grand, massive attacks," she says.

Hackers likely will shift toward more small-scale and targeted attacks in a distributed hacking environment - rather than a few massive attacks against very large targets.

"The genie is already out of the bottle," Litan says, "and cybercrime is here to stay."

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.