Albert Gonzalez has been given two concurrent 20 year sentences for his role in the “unparalleled” theft of millions of credit and debit card numbers from US retailers including TJX.
District Court Judge Patti B. Saris announced the concurrent sentences in two 2008 cases against Gonzalez, 28, a Cuban-American born in Miami, where he lived when the crimes were committed.
"I stand before you humbled by these past 24 months," Gonzalez said in court, slightly expanding the time he has been incarcerated since his arrest in May 2008. "I'm guilty not only of exploiting complicated networks, but also of exploiting personal relationships," he said.
He added that he had exploited a relationship with a "government agency," a reference to a previous deal he had related to a separate criminal case in which he agreed to be an informant for the US Secret Service, but provided information from that agency to one of his co-conspirators in the credit-card theft cases.
Gonzalez and co-conspirators hacked into computer systems and stole credit card information from TJX, Office Max, DSW and Dave and Buster's, among other online retail outlets, in one of the largest -- if not the largest -- cybercrime operations targeting that sort of data thus far.
They used some of the stolen numbers to remove cash from ATM machines and sold many of the other numbers to other criminals, including those in Eastern Europe.
Gonzalez pleaded guilty to conspiracy charges in two cases related to those thefts last December and the following day entered a guilty plea in a third case involving hacking into computer networks of Heartland Payment Systems and the Hannaford Supermarkets and 7-Eleven chains, also to steal credit and debit card numbers.
The Heartland hacking was particularly damaging because the company processes transactions for major credit and debit card companies Visa and American Express.
He is scheduled to be sentenced in the third case Friday in U.S. District Court for the District of Massachusetts. Gonzalez was indicted in New York, New Jersey and Massachusetts, with the cases eventually moved to the same federal court.
Judge Saris said that with respect to the two cases in her court, she believes the 20-year sentences are "sufficient" to suit the crimes and also will send a message to would-be cybercriminals, who tend to be young adults, that they could spend much of their youth in prison if they are caught.
Saris was apparently moved by letters written by Gonzalez's loved ones, who described him as "interactive and loved and loving -- there is another side to your personality," she said of those accounts.
"And yet when you read the [case] transcripts there's this macho glee" about the crimes he was committing, she added. Furthermore, he "two-times" the Secret Service, "almost like a double agent," she said.
Defense attorney Martin Weinberg argued in court documents and again in court Thursday that Gonzalez should be sentenced to 15 years.
While the government referred to the cases as "identity theft," they were instead thefts of data that did not involve stealing victims' identities to "invade their bank accounts, withdraw money, and ruin their credit," according to a court filing, which Weinberg reiterated Thursday.
Furthermore, Gonzalez "did not hack into government computer systems, he did not crash computer systems by spreading viruses or inundating them with spam, and he did not invade the privacy of individuals' computers to steal such data as passwords to compromise their financial life and invade their personal property," Weinberg wrote in the court document.
Federal prosecutors, however, painted a different portrait. "Albert Gonzalez was motivated by ego, challenge and greed and was proud of the national attention his computer intrusions and data thefts drew," the DOJ said in its sentencing filing.