September 11, 2009, 12:31 PM — Hacker Albert Gonzalez, accused of masterminding the massive data thefts at BJ's Wholesale Club, TJX and several other retailers, has pleaded guilty to 19 charges related to computer hacking and credit card fraud, the U.S. Department of Justice said.
Gonzalez, 28, of Miami, was a member of a group of hackers that stole more than 40 million credit and debit card numbers from TJX, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble and Sports Authority, the DOJ said. He pleaded guilty Friday to 19 counts of conspiracy, computer fraud, wire fraud, access device fraud and aggravated identity theft in U.S. District Court for the District of Massachusetts.
Gonzalez also pleaded guilty to one count of conspiracy to commit wire fraud relating to hacks into the Dave & Buster's restaurant chain, which were the subject of a May 2008 indictment in the Eastern District of New York. The pleas in both cases were entered before U.S. District Court Judge Patti Saris in federal court in Boston.
In August, Gonzalez was also indicted in New Jersey for the theft of more than 130 million credit and debit cards. He was charged, along with two unnamed co-conspirators, with using SQL injection attacks to steal credit and debit card information. Among the corporate victims named in the two-count indictment were Heartland Payment Systems, a New Jersey card payment processor; 7-Eleven, the Texas-based convenience store chain; and Hannaford Brothers, a Maine-based supermarket chain.
In the Boston and New York cases, Gonzalez and his co-conspirators broke into retail credit card payment systems through a series of sophisticated techniques, including "wardriving" and installation of sniffer programs to capture credit and debit card numbers used at retail stores, according to the indictments.
Gonzalez and his co-conspirators sold the numbers to others for fraudulent use and engaged in ATM fraud by encoding the data on the magnetic stripes of blank cards and withdrawing tens of thousands of dollars at a time from ATMs, the DOJ said. Gonzalez and his co-conspirators concealed and laundered their fraud proceeds by using anonymous Internet-based currencies both within the U.S. and abroad, and by channeling funds through bank accounts in Eastern Europe, the DOJ said.
Based on the terms of the Boston plea agreement, Gonzalez faces a minimum of 15 years and a maximum of 25 years in prison. Based on the New York plea agreement, Gonzalez faces up to 20 years in prison, which the parties have agreed should run concurrently with the Boston sentence.
He faces fines of US$250,000 in both cases, but the fines could be increased to twice his gains and twice the victims' losses in the Boston case.
Gonzalez also agreed to pay restitution for the loss suffered by his victims, and to forfeit more than $2.7 million, plus real estate, a 2006 BMW, a Tiffany diamond ring and Rolex watches, the DOJ said. Included in the forfeited currency is more than $1 million in cash, which Gonzalez had buried in a container in his backyard.
Sentencing is scheduled for Dec. 8.
"Computer hacking and identity theft pose serious risks to our commercial, personal and financial security," Benton Campbell, U.S. attorney for the Eastern District of New York, said in a statement. "Hackers, including those who commit their crimes from abroad, will find no refuge from the reach of U.S. criminal justice -- they will be found, prosecuted and convicted."
