TJX hacker receives second 20-year sentence
The Miami hacker who received a 20-year sentence Thursday for stealing millions of credit card numbers won't spend extra years in prison for his role in another major hacking case.
In Boston yesterday, US District Court Judge Douglas Woodlock cq sentenced Albert Gonzalez to 20 years and a day, plus a $25,000 fine, for his role in stealing an estimated 130 million card numbers largely from Heartland Payment Systems Inc., one of the nation's largest processor of credit and debit card payments.
The sentence was also imposed for charges that Gonzalez, 28, helped to steal credit and debit card numbers from the 7-Eleven convenience store chain and regional grocer Hannaford Brothers Corp. of Maine, and for breaking into the computer systems of two other unnamed retailers.
The new sentence will run simultaneously with the 20-year term imposed Thursday for stealing millions of card numbers from TJX Cos. of Framingham, BJ's Wholesale Club Inc. of Natick, and other major retailers.
Woodlock said he wanted to impose a significant sentence to punish Gonzalez and deter other hackers from committing similar crimes, but didn't want to add years to the sentence imposed on Thursday. Woodlock noted that Gonzalez would likely not be released until he was in his mid-40s.
"This is tremendous loss and you'll feel it,'' Woodlock told Gonzalez. "This is real time and is meant to deliver deterrence to others."
Gonzalez asked for leniency in a brief statement to the judge, as his sister and parents watched glumly from the front row of the courtroom.
"I'm guilty of these crimes," said Gonzalez, who sported closely cropped black hair, glasses, and olive prison clothes. "I accept full responsibility."
When US Department of Justice attorneys first brought charges in the Heartland case in New Jersey last year, they called it the largest credit card theft case ever prosecuted in the United States. Heartland alone said it racked up $129 million in losses because of the breach.
Gonzalez faced 17 to 25 years in the case under a plea agreement with prosecutors.But defense lawyers urged Woodlock to issue a sentence at the lower end of the range. While they acknowledged Gonzalez was the central figure in the TJX case, his attorneys argued he played only a "peripheral role" in the Heartland, Hannaford, and 7-Eleven thefts -- providing software and other assistance to two other hackers.
"Gonzalez did not even know of the Heartland intrusion prior to its occurrence," said Martin Weinberg, one of Gonzalez's attorneys, in a court brief.
Prosecutors acknowledged that Gonzalez did not obtain any of card numbers in the case or receive any proceeds from the thefts. But they argued the case was in some ways more serious than the TJX case, because it targeted a credit card processor that served thousands of retailers.
Gonzalez played a greater role in hacking into two other unnamed retailers, but did not actually obtain any customer data or profit from the breaches. The names of the companies are currently filed under seal. But Woodlock said he plans to lift the protective order, despite the firms' request for privacy. Woodlock said the privacy rights are designed to protect individuals such as rape victims in court cases -- not businesses.
"There should be no privacy rights for corporations," Woodlock said. "They are a legal construction."