TJX/Heartland card hacker mastermind jailed for 20 years

In court yesterday, the judge who sentenced him described the case as "the largest and most costly example of computer hacking in US history."

As reported previously, Miami-based Albert Gonzalez – who was charged along with two Russian collaborators – pleaded guilty in September of last year.

Investigators said that the trio targeted more than 250 US companies, including payment processor 7-Eleven, Hannaford Brothers, Heartland Payment Systems and arguably the most high profile of all, TJX, the parent company to TJ Maxx.

In court last year, prosecutors explained how Gonzalez and his team used a variety of methodologies, including SQL injection attacks, to gain unauthorised access to large volumes of credit and debit card data.

The proceeds from the frauds reportedly generated untold wealth for Gonzalez and his team, including fast cars, expensive jewellery and a million dollars in cash, which he is said to have buried in his parent's back garden.

Commenting on the case, Amichai Shulman, chief technology officer with data security specialist Imperva said that the lesson to draw from the sentencing is simple: enterprises are fighting today's cyber war with yesterday's technology.

"Hackers continue to put up a persistent and very real threat to enterprise systems. The current data security spend is focused on enterprise networks, yet the Gonzalez attacks took distinct advantage of weaknesses in the database and applications", he said.

According to Shulman, the security weaknesses are an industry-wide problem.

"In 2009, the top ten data breaches reveal an interesting fact few have noticed. 74% of lost data came from database breaches, 19% from application breaches and 7% from network breaches. Yet, more than 90% of 2009's $16 billion in security spending was on network security. This disconnect needs to be remedied", he explained.

The prison sentence handed down to Gonzalez will, he added, act as a deterrent to criminals.

Over at Sophos meanwhile, Graham Cluley, a senior technology consultant, said that this is one of stiffest sentences ever given by a US court for hacking and identity theft

"Twenty years is a breathtaking sentence for anyone to receive but it is particularly unusual for a computer crime. It is encouraging to see that cybercrime cases, like this one, are being taken more seriously than ever before", he said.

"News of the security breach was, of course, embarrassing for all the stores involved – who must have been worried that customers would lose confidence in their ability to securely hold sensitive data", he added.

According to Cluley, what is fascinating about the story is that Gonzalez is reported to have been working for the US Secret Service when they became aware of his involvement.

"It seems to me that Gonzalez's double-dealing (stealing information from big companies with one hand, while fighting crime with the Secret Service on the other) is clear evidence of his arrogance – believing that he would never be found out and punished", he said in his security blog.

What’s Hot on Infosecurity Magazine?