Grant Gross of IDG News Service reports:
Hacker Albert Gonzalez, accused of masterminding the massive data thefts at BJ’s Wholesale Club, TJX and several other retailers, has pleaded guilty to 19 charges related to computer hacking and credit card fraud, the U.S. Department of Justice said.
Gonzalez, 28, of Miami, was a member of a group of hackers that stole more than 40 million credit and debit card numbers from TJX, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble and Sports Authority, the DOJ said. He pleaded guilty Friday to 19 counts of conspiracy, computer fraud, wire fraud, access device fraud and aggravated identity theft in U.S. District Court for the District of Massachusetts.
Read more on PC World.
The press release from the Department of Justice:
An international computer hacker pleaded guilty today to multiple charges relating to hacking activity and credit card fraud, announced Assistant Attorney General of the Criminal Division Lanny A. Breuer, Acting U.S. Attorney for the District of Massachusetts Michael Loucks, U.S. Attorney for the Eastern District of New York Benton J. Campbell and Director of the U.S. Secret Service Mark Sullivan. More than 40 million credit and debit card numbers were stolen from major U.S. retailers as a result of the hacking activity.
Albert Gonzalez, 28, of Miami, pleaded guilty today to 19 counts of conspiracy, computer fraud, wire fraud, access device fraud and aggravated identity theft relating to hacks into numerous major U.S. retailers including TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble and Sports Authority. Gonzalez was indicted in August 2008 in the District of Massachusetts on charges related to these hacks.
Gonzalez also pleaded guilty to one count of conspiracy to commit wire fraud relating to hacks into the Dave & Buster’s restaurant chain, which were the subject of a May 2008 indictment in the Eastern District of New York. The pleas in both cases were entered before U.S. District Court Judge Patti B. Saris in federal court in Boston.
“Consumers must be able to trust that the credit and debit cards they use everyday in thousands of stores around the world are safe from unlawful access,” said Assistant Attorney General Lanny A. Breuer of the Criminal Division. “Working together with U.S. Attorneys’ Offices around the country and with the invaluable support of law enforcement agencies, we will continue our efforts to identify and prosecute hacking and credit card fraud.”
“The investigation and prosecution of identity theft is a top priority of the Department,” said Acting U.S. Attorney for the District of Massachusetts Michael Loucks. “In the past 10 years there has been a dramatic growth in the transfer and storage of credit and debit card data on computer networks. It is thus compellingly important that we work hard to investigate and prosecute the theft of personal identity data that citizens entrust to computer networks every day.”
“Computer hacking and identity theft pose serious risks to our commercial, personal and financial security,” stated U.S. Attorney for the Eastern District of New York Benton J. Campbell. “Hackers, including those who commit their crimes from abroad, will find no refuge from the reach of U.S. criminal justice — they will be found, prosecuted and convicted.”
“Technology has forever changed the way we do business, virtually erasing geographic boundaries,” said U.S. Secret Service Director Mark Sullivan. “However, this case demonstrates that even in the cyber world, there is no such thing as anonymity. The Secret Service, in conjunction with its many law enforcement partners across the United States and around the world, continues to successfully combat these crimes by adapting our investigative methodologies. We realize our success in this investigation is due in part to the cooperation of these partners in more than a dozen international law enforcement agencies.”
According to the indictments to which Gonzalez pleaded guilty, he and his co-conspirators broke into retail credit card payment systems through a series of sophisticated techniques, including “wardriving” and installation of sniffer programs to capture credit and debit card numbers used at these retail stores. Wardriving involves driving around in a car with a laptop computer looking for accessible wireless computer networks of retailers. Using these techniques, Gonzalez and his co-conspirators were able to steal more than 40 million credit and debit card numbers from retailers. Also according to the indictments, Gonzalez and his co-conspirators sold the numbers to others for their fraudulent use and engaged in ATM fraud by encoding the data on the magnetic stripes of blank cards and withdrawing tens of thousands of dollars at a time from ATMs. According to the indictments, Gonzalez and his co-conspirators concealed and laundered their fraud proceeds by using anonymous Internet-based currencies both within the United States and abroad, and by channeling funds through bank accounts in Eastern Europe.
Based on the terms of the Boston plea agreement, Gonzalez faces a minimum of 15 years and a maximum of 25 years in prison. Based on the New York plea agreement, Gonzalez faces up to 20 years in prison, which the parties have agreed should run concurrently. He also faces a fine of up to twice the pecuniary gain, twice the victims’ pecuniary loss or $250,000, whichever is greatest, per count for the Boston case and a maximum fine of $250,000 for the New York case. Gonzalez also agreed to an order of restitution for the loss suffered by his victims, and forfeiture of more than $2.7 million as well as multiple items of real estate and personal property, including a condo in Miami, a 2006 BMW 330i, a Tiffany diamond ring and Rolex watches. Included in the forfeited currency is more than $1 million in cash, which Gonzalez had buried in a container in his backyard. Sentencing is scheduled for Dec. 8, 2009.
Gonzalez remains under indictment for charges brought in August 2009 by the U.S. Attorney’s Office for the District of New Jersey of conspiring to hack into computer networks supporting major U.S. retail and financial organizations and steal credit and debit card numbers from those entities. Among the corporate victims named in that indictment are Heartland Payment Systems, a New Jersey-based card payment processor; 7-Eleven Inc., a Texas-based nationwide convenience store chain; and Hannaford Brothers Co. Inc., a Maine-based supermarket chain. Charges in that case remain pending. An indictment is merely an allegation and defendants are presumed innocent until and unless proven guilty in court. While Gonzalez has pleaded guilty to the Boston and New York charges, he has not pleaded guilty to charges pending in New Jersey and remains presumed innocent of those charges.
The Boston case is being prosecuted by Assistant U.S. Attorneys Stephen Heymann and Donald Cabell of the District of Massachusetts. The New York case is being prosecuted by Assistant U.S. Attorney William Campos of the Eastern District of New York, and Senior Counsel Kimberly Kiefer Peretti and Trial Attorney Evan Williams of the Criminal Division’s Computer Crime and Intellectual Property Section. All of these cases are being investigated by the U.S. Secret Service.