BOSTON – A 28-year-old college dropout who became the world’s biggest credit card hacker on Thursday was sentenced to 20 years in prison for stealing millions of credit union and bank account records from TJX Cos., BJ’s Wholesale Club, Office Max, Dave & Busters, Barnes & Noble and a string of other companies – even as he was working as a $75,000-a-year undercover informant for the U.S. government in identity theft cases.
But that’s not the end of it, as Albert Gonzalez is scheduled to be sentenced again today to additional years behind bars for additional data thefts at Heartland Payment Systems, Hannaford Bros. supermarkets and 7-Eleven convenience stores. The theft of credit card data cost financial institutions, insurers and cardholders an estimated $200 million, according to law enforcement.
All the while, the master hacker was working to provide information on other Internet fraud for the U.S. Secret Service.
The drama in the case continued up to the last minute, when Gonzalez attempted to contest the monetary losses attributed to the TJX intrusion which would help determine his sentence. The defense served the company with a subpoena seeking documentation to back its assessment that it suffered a $171.5 million loss.
Defense attorneys had petitioned the judge for a 15-year term while federal prosecutors asked for 25 years. In splitting the difference, U.S. District Judge Patti Saris credited Gonzalez for his apparent remorse, but Judge Saris said she was disturbed by the fact he committed his crimes while working for the government.
Most of the hacking by Gonzalez and his accomplices took place in Miami, where they would drive by major retailers and try to penetrate their databases on laptops in the parking lots. When successful, they downloaded to servers in Latvia and the Ukraine, according to court records. The credit card information eventually was passed on to master Ukrainian card seller Maksym Yastremskiy, who sold it to thousands of individuals in the online underground or at websites. The stolen data was used to create counterfeit credit cards, which then were used to buy merchandise or withdraw millions of dollars in cash from ATMs.
Yastremskiy, who earned $11 million from card sales, was captured in Turkey in 2007. In 2009 he was sentenced to 30 years in prison by a Turkish court.
