Heartland Hacker to be Sentenced

How Much Jail Time Does Albert Gonzalez Face?
Heartland Hacker to be Sentenced
The most notorious hacker in history faces sentencing this week for the Heartland Payment Systems, TJX and other major data breaches.

If federal prosecutors have their way, Albert Gonzalez will face the maximum sentence of 25 years in prison. Prosecutors and Gonzalez' lawyer were present at a hearing on March 18 to argue sentencing parameters.

Gonzalez faces sentencing on the TJX breach, Office Max, DSW and Dave & Busters breaches on Thursday in front of a judge in the District Court of Massachusetts.

On Friday, he will face sentencing for the Heartland breach, and the Hannaford Brothers and 7-11 breaches. These three cases were moved from the New York and New Jersey district courts to consolidate the sentencing in one court.

In the TJX, Office Max and DSW case, the maximum sentence would be 25 years; in the Dave and Buster's hack, he faces 20 years; and in the Heartland, Hannaford and 7-11 case, Gonzalez may be sentenced up to 25 years. If he receives the maximum sentence in these cases, the sentences would be carried out concurrently.

'No Stranger to Hacking'

Prosecutors state that Gonzalez is no stranger to hacking, and began doing it while a teen in Miami. First arrested by law enforcement in 2003 for using cloned ATM cards, Gonzalez turned into a Secret Service informant after they learned of his role as an administrator on a carding site called Shadowcrew. The site, before it was taken down, was one of the underground carding community's leading forums for selling stolen card data.

Gonzalez's undercover worked helped agents arrest more than 12 hackers in an investigation called "Operation Firewall." On one hand, he turned in fellow hackers, but he also kept in contact with other hackers and criminals and made plans to hack into multiple companies. His criminal enterprising was stopped in May 2008, when he was arrested for the Dave & Buster's restaurant breach. Later in August, he was slapped with a criminal indictment for the TJX breach and pled guilty to that crime in September 2009. Charges that he and two others hacked into Heartland Payment Systems came in August 2009, and he pled guilty to the charges in December.

In the court filing last week, prosecutors say that the 70 years maximum sentence is "because Gonzalez was at the center of the largest and most costly series of identity thefts in the nation's history."

The prosecutors charge he knowingly victimized a group of millions of people, at the cost of hundreds of millions to businesses, including small banks and credit unions to Fortune 500 companies. "And he did so while on pretrial release from an earlier federal case and while intentionally obstructing justice," the filing says.

What Should Sentence Be?

So, what would be an appropriate sentence for Gonzalez?

Admitting that it is hard to predict what the judge will rule, Dave Shackleford, an information security expert and SANS instructor, wants to see some significant penalties placed on Gonzalez based on the severity of his crimes. "There is a lot of evidence and the impact of the crimes has been immense," Shackleford says.

One identity theft victims advocate, Linda Foley of the Identity Theft Resource Center, thinks Gonzalez's sentence should be extreme. "In a perfect world, he would get 50-plus years in a room without any computers, limited visitation that would be monitored so he can't control his crew from inside," she says. "But it is not a perfect world."

Because Gonzalez betrayed law enforcement while working as an informant, he gave a black eye to law enforcement -- giving extra reasons for the judicial branch to judge him more harshly, say some observers. Bill Taylor, a former criminal prosecutor of cyber criminals and founder of Cyopsis, a Colorado-based forensic investigation firm, says the sentence "likely will be at the aggravated end of the available sentencing range, based on the sheer magnitude of harm done to so many people, and, in particular, based upon his having committed these crimes while posing as a cooperator with federal law enforcement."

Identity theft expert Robert Siciliano predicts that Gonzalez will get the book thrown at him by the court. Although, he cautions it isn't likely that Gonzalez will even serve his full sentence because his crimes were financial, as opposed to violent. "He will get the maximum to send a clear message," Siciliano says, "However he will be eligible for parole somewhere halfway through."

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.