February 26, 2010

Guilty pleas end case of Hannaford data breach


— By

The Associated Press

BOSTON — A computer hacker who helped orchestrate the theft of millions of credit card and debit card numbers from Hannaford Bros. and other major retailers pleaded guilty Tuesday in a Boston court. It was the last of three cases brought by federal prosecutors in one of the largest such thefts in U.S. history.

Albert Gonzalez, a one-time federal informant from Miami, faces a prison sentence of up to 25 years under the terms of separate plea agreements. He is tentatively scheduled for sentencing in March.

''This is a young kid who did some reckless things, and he's going to pay a price for it,'' Gonzalez's attorney, Martin Weinberg, said after his 28-year-old client calmly admitted charges of conspiracy and wire fraud.

Weinberg said Gonzalez was remorseful and that he would ask two federal judges hearing the cases to sentence Gonzalez to the lower end of the 17- to 25-year sentencing range spelled out in the plea agreements.

Tuesday's plea stemmed from a case that was originally brought by federal prosecutors in New Jersey but later transferred to Boston. It charged Gonzalez with conspiracy to gain unauthorized access to computer servers at Hannaford, a Maine-based supermarket chain; convenience store giant 7-Eleven Inc.; Heartland Payment Systems Inc., a New Jersey-based processor of credit and debit cards; and two unnamed companies.

Gonzalez made his money by selling stolen card numbers to others. In the Hannaford breach, an extimated 4.2 million card numbers were exposed to theft and 1,800 fraudulent charges were made.

In September, Gonzalez pleaded guilty in two other cases that were combined in Boston. Those cases included charges that he hacked into the computers of prominent retailers such as TJX Cos., BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble and Sports Authority.

Under questioning Tuesday by U.S. District Court Judge Douglas Woodlock, Gonzalez indicated that he had used alcohol and a number of drugs, including marijuana, cocaine and LSD, before his arrest in May 2008.

Federal prosecutors have agreed to seek concurrent sentences in the cases, meaning that Gonzalez would serve no more than 25 years in prison. Weinberg, however, said he would argue for a lesser sentence based on factors including the prior drug abuse and a psychiatrist's report that Gonzalez exhibits behavior consistent with Asperger's syndrome, a form of autism.

The defense-commissioned report by Dr. Barry Roth described Gonzalez as an Internet addict with an ''idiot-Savant-like genius for computers and information technology,'' but socially awkward. ''His personal life has been characterized most of all by awkwardness, impairment, troubles connecting to people, with an overarching preference and predilection to machines and technology,'' Roth wrote.

Authorities said Gonzalez, who said he had worked as a computer security consultant, was the ringleader of a group that targeted large retailers.

In 2003, Gonzalez was arrested for hacking but was not charged because he became an informant, helping the Secret Service find other hackers. But authorities said he continued to use his talents for illegal activities.

Over the next five years, he hacked into the computer systems of retailers even while he was assisting the government.

He lived lavishly during that time. Authorities said he amassed $2.8 million and bought a Miami condo and a BMW. Under the plea deals, Gonzalez must forfeit more than $2.7 million, plus his condo, car, a Tiffany ring he gave to his girlfriend and Rolex watches he gave to his father and friends.

Before accepting the plea Tuesday, Judge Woodlock heard Assistant U.S. Attorney Stephen Heymann outline the sophisticated hacking scheme, which also involved an individual identified only as ''P.T.'' and two individuals identified in the indictment as Hacker 1 and Hacker 2. Heymann said they remain fugitives.

Gonzalez identified potential corporate victims by poring through lists of Fortune 500 companies and by going to retail stores to probe for potential vulnerabilities, Heymann said.

''It was foreseeable to defendant Gonzalez that the losses resulting from unauthorized access into the servers of the corporate victims identified in the indictment would exceed $20 million,'' Heymann said.

Were you interviewed for this story? If so, please fill out our accuracy form

Send question/comment to the editors

Further Discussion

Here at PressHerald.com we value our readers and are committed to growing our community by encouraging you to add to the discussion. To ensure conscientious dialogue we have implemented a strict no-bullying policy. To participate, you must follow our Terms of Use.

Questions about the article? Add them below and we’ll try to answer them or do a follow-up post as soon as we can. Technical problems? Email them to us with an exact description of the problem. Make sure to include:
  • Type of computer or mobile device your are using
  • Exact operating system and browser you are viewing the site on (TIP: You can easily determine your operating system here.)