District Judge Patti Saris sentenced Albert Gonzalez of Miami – who pleaded guilty last year to breaking into computer systems of a number of major retailers – including TJX and BJ's Wholesale Club.
Prosecutors had earlier looked for a 25-year sentence for Gonzalez, despite his legal team's plea bargaining, noting that he victimized millions of people and cost companies, banks and insurers nearly $200 million.
Gonzalez pleaded guilty last year in three separate hacking cases brought in Massachusetts, New Jersey and New York.
The proceeds from the frauds reportedly generated untold wealth for Gonzalez and his team, including fast cars, expensive jewelery and a million dollars in cash, which he is said to have buried in his parent's back garden.
Commenting on the case, Amichai Shulman, chief technology officer with data security specialist Imperva said that the lesson to draw from the sentencing is simple: enterprises are fighting today's cyber war with yesterday's technology.
"Hackers continue to put up a persistent and very real threat to enterprise systems. The current data security spend is focused on enterprise networks, yet the Gonzalez attacks took distinct advantage of weaknesses in the database and applications", he said.
According to Shulman, the security weaknesses are an industry-wide problem.
"In 2009, the top ten data breaches reveal an interesting fact few have noticed. 74% of lost data came from database breaches, 19% from application breaches and 7% from network breaches. Yet, more than 90% of 2009's $16 billion in security spending was on network security. This disconnect needs to be remedied", he explained.
The prison sentence handed down to Gonzalez will, he added, act as a deterrent to criminals.
Over at veteran IT security vendor Sophos' UK headquarters, meanwhile, Graham Cluley, the firm's senior technology consultant, said that this is one of stiffest sentences ever given by a US court for hacking and identity theft.
"Twenty years is a breathtaking sentence for anyone to receive but it is particularly unusual for a computer crime. It is encouraging to see that cybercrime cases, like this one, are being taken more seriously than ever before", he said.
"News of the security breach was, of course, embarrassing for all the stores involved – who must have been worried that customers would lose confidence in their ability to securely hold sensitive data", he added.
According to Cluley, what is fascinating about the story is that Gonzalez is reported to have been working for the US Secret Service when they became aware of his involvement.
"It seems to me that Gonzalez's double-dealing (stealing information from big companies with one hand, while fighting crime with the Secret Service on the other) is clear evidence of his arrogance – believing that he would never be found out and punished", he said in his security blog.