The 28-year-old Miami native, who operated online under pseudonyms like "soupnazi" and "segvec," acknowledged stealing millions of debit and credit card numbers after penetrating the computer security defenses of a number of major companies, including Framingham-based TJX — best known for operating TJ Maxx and Marshalls stores — as well as Natick-based BJs, Boston Market, OfficeMax, Sports Authority, Barnes & Noble, DSW, Forever 21, and restaurant chain Dave & Buster's.
After pleading guilty to a litany of charges associated with the thefts, Gonzalez faced between 15 and 25 years in prison under an agreement with prosecutors, who pushed for the maximum possible sentence under the plea deal. But US District Court Judge Patti Saris settled on a sentence in the middle of the range, saying she had to weigh Gonzalez's remorse against the amount of damage he caused. Saris said the effects of his crimes were compounded by the fact that he committed them while working as a Secret Service informant after an earlier arrest in 2003, and she compared him to a "double agent."
"There is this macho, almost glee about how you could beat the system," Saris noted, referring to Gonzalez' boasts to friends in transcripts of private online chats. Saris also said that based on letters she received from Gonzalez's friends and family members, she doubted the suggestion from defense lawyers that he might have Asperger's Syndrome.
Gonzalez, wearing an olive prison uniform and speaking in a low voice, apologized in court to his family, and asked the judge for mercy, as his parents and sister tearfully looked on from the front row of the courtroom.
"I'm guilty not only of exploiting computer networks, but personal relationships,'' said Gonzalez, who has been in jail since he was arrested in Florida hotel room in May 2008. "I plead for leniency so that I can one day prove to [my family] that I love them, just as they love me."
Randy V. Sabett,a data security attorney in Washington, D.C., said the harsh punishment reflects both the magnitude of the charges and the government's increasing efforts to crack down on hacking.
"The long sentence corresponds to the magnitude of Mr. Gonzalez's crimes, and will likely be a frequently-cited indicator of the growing intolerance for cyber crime," said Sabett,a partner in the law firm Sonnenschein Nath & Rosenthal LLP.
Neither prosecutors nor attorneys for Gonzalez would comment on the sentence after the hearing, noting that he still faces additional charges.
Gonzalez is scheduled to be sentenced by US District Court Judge Douglas Woodlock in Boston tomorrow afternoon for helping to steal as many as 135 million debit and credit card numbers from Heartland Payment Systems, one of the country's largest processors of credit and debit card payments, and several major retailers, including the 7-Eleven national convenience store chain and Hannaford Brothers Corp., the regional grocery store chain based in Maine.
Under a plea agreement with prosecutors, Gonzalez faces 17 to 25 years in prison in that case. But that sentence is likely to run simultaneously with the 20-year sentence imposed today — meaning he likely faces no more than five additional years in prison.
In the sentencing today, Saris also fined Gonzalez $25,000, but put off setting the details of restitution for later. She noted that it could take time to figure out how to distribute the roughly $1.5 million in assets that were seized from Gonzalez, including $1.1 million buried in his parents' backyard after he drew a map that led them to the stash. The judge also barred him from using computers for at least three years after he is released from prison.
In calling for a stiff sentence today, prosecutors said Gonzalez and his accomplices reaped millions of dollars from the stolen customer card numbers, using them to withdraw cash from ATMs or selling them on the black market in Eastern Europe, causing hundreds of millions of damages to retailers and financial institutions .TJX alone, which operates stores under the Marshalls and TJMaxx brands, told shareholders the data breach will likely cost it $171.5 million, including the amount needed to settle legal claims.
"He shook a portion of our financial system," said Stephen Heymann, the assistant US Attorney handling the case. Heymann noted that millions of customers who shopped at the affected stores had to worry whether their personal data was stolen and might be misused.
Prosecutors have also charged a number of other people in connection with the thefts, but painted Gonzalez as the ringleader. "It was Gonzalez who organized an international group of hackers and identity thieves," Heymann said. "And it was Gonzalez who profited the most."
Martin Weinberg, one of Gonzalez's attorneys, acknowledged the severity of the crimes, but said a 15-year sentence would be more than sufficient to punish him and deter other potential criminals. He noted that Gonzalez has already served 22 months in prison, some of that in isolation, and is deeply sorry for the damage he has done.
"He's learned his lesson already," Weinberg told the judge.
Now that Gonzalez faces prison until his 40s, the Boston lawyer added: "It's beyond devastating."