Hacker Pleads Guilty for Retail Networks Attack

Responsible for theft of 40 million credit, debit card numbers

WASHINGTON -- An international computer hacker pleaded guilty today to multiple charges relating to hacking activity and credit-card fraud, said the U.S. Department of Justice (DOJ), represented by Assistant Attorney General of the Criminal Division Lanny A. Breuer, Acting U.S. Attorney for the District of Massachusetts Michael Loucks, U.S. Attorney for the Eastern District of New York Benton J. Campbell and Director of the U.S. Secret Service Mark Sullivan. More than 40 million credit- and debit-card numbers were stolen from major U.S. retailersincluding Dallas-based 7-Eleven [image-nocss] Inc.as a result of the hacking activity.

Albert Gonzalez, 28, of Miami, pleaded guilty today to 19 counts of conspiracy, computer fraud, wire fraud, access device fraud and aggravated identity theft relating to hacks into numerous major U.S. retailers including TJX Companies, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble and Sports Authority. Gonzalez was indicted in August 2008 in the District of Massachusetts on charges related to these hacks.

Gonzalez also pleaded guilty to one count of conspiracy to commit wire fraud relating to hacks into the Dave & Buster's restaurant chain, which were the subject of a May 2008 indictment in the Eastern District of New York. The pleas in both cases were entered before U.S. District Court Judge Patti B. Saris in federal court in Boston.

According to the indictments to which Gonzalez pleaded guilty, he and his co-conspirators broke into retail credit card payment systems through a series of sophisticated techniques, including "wardriving" and installation of sniffer programs to capture credit and debit card numbers used at these retail stores. Wardriving involves driving around in a car with a laptop computer looking for accessible wireless computer networks of retailers. Using these techniques, Gonzalez and his co-conspirators were able to steal more than 40 million credit- and debit-card numbers from retailers.

Also according to the indictments, Gonzalez and his co-conspirators sold the numbers to others for their fraudulent use and engaged in ATM fraud by encoding the data on the magnetic stripes of blank cards and withdrawing tens of thousands of dollars at a time from ATMs. According to the indictments, Gonzalez and his co-conspirators concealed and laundered their fraud proceeds by using anonymous Internet-based currencies both within the United States and abroad, and by channeling funds through bank accounts in Eastern Europe.

Based on the terms of the Boston plea agreement, Gonzalez faces a minimum of 15 years and a maximum of 25 years in prison. Based on the New York plea agreement, Gonzalez faces up to 20 years in prison, which the parties have agreed should run concurrently. He also faces a fine of up to twice the pecuniary gain, twice the victims' pecuniary loss or $250,000, whichever is greatest, per count for the Boston case and a maximum fine of $250,000 for the New York case.

Gonzalez also agreed to an order of restitution for the loss suffered by his victims, and forfeiture of more than $2.7 million as well as multiple items of real estate and personal property, including a condo in Miami, a 2006 BMW 330i, a Tiffany diamond ring and Rolex watches. Included in the forfeited currency is more than $1 million in cash, which Gonzalez had buried in a container in his backyard. Sentencing is scheduled for Dec. 8, 2009.

Gonzalez remains under indictment for charges brought in August 2009 by the U.S. Attorney's Office for the District of New Jersey of conspiring to hack into computer networks supporting major U.S. retail and financial organizations and steal credit- and debit-card numbers from those entities. Among the corporate victims named in that indictment are card payment processor Heartland Payment Systems; 7-Eleven; and supermarket chain Hannaford Brothers Co. Inc. Charges in that case remain pending. An indictment is merely an allegation and defendants are presumed innocent until and unless proven guilty in court. While Gonzalez has pleaded guilty to the Boston and New York charges, he has not pleaded guilty to charges pending in New Jersey and remains presumed innocent of those charges.

"Consumers must be able to trust that the credit and debit cards they use everyday in thousands of stores around the world are safe from unlawful access," said Breuer. "Working together with U.S. Attorneys' Offices around the country and with the invaluable support of law enforcement agencies, we will continue our efforts to identify and prosecute hacking and credit card fraud."

Loucks said, "The investigation and prosecution of identity theft is a top priority of the department. In the past 10 years there has been a dramatic growth in the transfer and storage of credit and debit card data on computer networks. It is thus compellingly important that we work hard to investigate and prosecute the theft of personal identity data that citizens entrust to computer networks every day." Click herefor previous CSP Daily news coverage.