Thursday, December 12, 2013
The Associated Press
BOSTON — A computer hacker who helped orchestrate the theft of millions of credit card and debit card numbers from Hannaford Bros. and other major retailers pleaded guilty Tuesday in a Boston court. It was the last of three cases brought by federal prosecutors in one of the largest such thefts in U.S. history.
Albert Gonzalez, a one-time federal informant from Miami, faces a prison sentence of up to 25 years under the terms of separate plea agreements. He is tentatively scheduled for sentencing in March.
''This is a young kid who did some reckless things, and he's going to pay a price for it,'' Gonzalez's attorney, Martin Weinberg, said after his 28-year-old client calmly admitted charges of conspiracy and wire fraud.
Weinberg said Gonzalez was remorseful and that he would ask two federal judges hearing the cases to sentence Gonzalez to the lower end of the 17- to 25-year sentencing range spelled out in the plea agreements.
Tuesday's plea stemmed from a case that was originally brought by federal prosecutors in New Jersey but later transferred to Boston. It charged Gonzalez with conspiracy to gain unauthorized access to computer servers at Hannaford, a Maine-based supermarket chain; convenience store giant 7-Eleven Inc.; Heartland Payment Systems Inc., a New Jersey-based processor of credit and debit cards; and two unnamed companies.
Gonzalez made his money by selling stolen card numbers to others. In the Hannaford breach, an extimated 4.2 million card numbers were exposed to theft and 1,800 fraudulent charges were made.
In September, Gonzalez pleaded guilty in two other cases that were combined in Boston. Those cases included charges that he hacked into the computers of prominent retailers such as TJX Cos., BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble and Sports Authority.
Under questioning Tuesday by U.S. District Court Judge Douglas Woodlock, Gonzalez indicated that he had used alcohol and a number of drugs, including marijuana, cocaine and LSD, before his arrest in May 2008.
Federal prosecutors have agreed to seek concurrent sentences in the cases, meaning that Gonzalez would serve no more than 25 years in prison. Weinberg, however, said he would argue for a lesser sentence based on factors including the prior drug abuse and a psychiatrist's report that Gonzalez exhibits behavior consistent with Asperger's syndrome, a form of autism.
The defense-commissioned report by Dr. Barry Roth described Gonzalez as an Internet addict with an ''idiot-Savant-like genius for computers and information technology,'' but socially awkward. ''His personal life has been characterized most of all by awkwardness, impairment, troubles connecting to people, with an overarching preference and predilection to machines and technology,'' Roth wrote.
Authorities said Gonzalez, who said he had worked as a computer security consultant, was the ringleader of a group that targeted large retailers.
In 2003, Gonzalez was arrested for hacking but was not charged because he became an informant, helping the Secret Service find other hackers. But authorities said he continued to use his talents for illegal activities.
Over the next five years, he hacked into the computer systems of retailers even while he was assisting the government.
He lived lavishly during that time. Authorities said he amassed $2.8 million and bought a Miami condo and a BMW. Under the plea deals, Gonzalez must forfeit more than $2.7 million, plus his condo, car, a Tiffany ring he gave to his girlfriend and Rolex watches he gave to his father and friends.
Before accepting the plea Tuesday, Judge Woodlock heard Assistant U.S. Attorney Stephen Heymann outline the sophisticated hacking scheme, which also involved an individual identified only as ''P.T.'' and two individuals identified in the indictment as Hacker 1 and Hacker 2. Heymann said they remain fugitives.
Gonzalez identified potential corporate victims by poring through lists of Fortune 500 companies and by going to retail stores to probe for potential vulnerabilities, Heymann said.
''It was foreseeable to defendant Gonzalez that the losses resulting from unauthorized access into the servers of the corporate victims identified in the indictment would exceed $20 million,'' Heymann said.