As his parents and sister silently wept, hacker mastermind Albert Gonzalez was sentenced Thursday in U.S. District Court to two concurrent 20-year stints in prison for his role in what prosecutors called the “unparalleled” theft of millions of credit and debit card numbers from major U.S. retailers.
U.S. District Court Judge Patti B. Saris announced the concurrent sentences in two 2008 cases against Gonzalez, 28, a Cuban-American born in Miami, where he lived when the crimes were committed.
According to binding terms of a plea agreement Gonzalez forged with the U.S. Department of Justice, he could have received between 15 years and 25 years for the crimes.
Related Story: Five anniversary learnings from TJX security breach
“I stand before you humbled by these past 24 months,” Gonzalez said in court, slightly expanding the time he has been incarcerated since his arrest in May 2008. “I’m guilty not only of exploiting complicated networks, but also of exploiting personal relationships,” he said.
He added that he had exploited a relationship with a “government agency,” a reference to a previous deal he had related to a separate criminal case in which he agreed to be an informant for the U.S. Secret Service, but provided information from that agency to one of his co-conspirators in the credit-card theft cases.
“I’ve impacted the lives of millions of individuals and I violated the sanctity of my parents’ home,” said Gonzalez, who was wearing khaki-colored jail garb and a stylish, closely shorn haircut — quite different from the long locks he sported when he was arrested.
Gonzalez stashed more than a million dollars in a hole in the backyard of his parents’ Miami home, although he drew a map for investigators to find the hidden loot and forfeited it and other ill-gotten material goods after he was arrested.
He urged Judge Saris to sentence him on the low end of the agreed-to spectrum, saying he hopes to some day prove to his parents that he loves them as much as they love him and that he wants upon his release to turn his life around.
Gonzalez and co-conspirators hacked into computer systems and stole credit card information from TJX, Office Max, DSW and Dave and Buster’s, among other online retail outlets, in one of the largest — if not the largest — cybercrime operations targeting that sort of data thus far.
They used some of the stolen numbers to remove cash from ATM machines and sold many of the other numbers to other criminals, including those in Eastern Europe.
Gonzalez pleaded guilty to conspiracy charges in two cases related to those thefts last December and the following day entered a guilty plea in a third case involving hacking into computer networks of Heartland Payment Systems and the Hannaford Supermarkets and 7-Eleven chains, also to steal credit and debit card numbers.
The Heartland hacking was particularly damaging because the company processes transactions for major credit and debit card companies Visa and American Express.
He is scheduled to be sentenced in the third case Friday in U.S. District Court for the District of Massachusetts. Gonzalez was indicted in New York, New Jersey and Massachusetts, with the cases eventually moved to the same federal court.
After reviewing the cases following established sentencing guidelines that take into account various factors, including the effects of the crimes, the DOJ sought the maximum agreed to under the plea deal in two cases and 20 years in the other.
Without that agreement in place, sentencing guidelines that consider previous crimes and the severity of these crimes would call for a maximum of life in prison.
However, Judge Saris said that with respect to the two cases in her court, she believes the 20-year sentences are “sufficient” to suit the crimes and also will send a message to would-be cybercriminals, who tend to be young adults, that they could spend much of their youth in prison if they are caught.
Saris was apparently moved by letters written by Gonzalez’s loved ones, who described him as “interactive and loved and loving — there is another side to your personality,” she said of those accounts. “And yet when you read the [case] transcripts there’s this macho glee” about the crimes he was committing, she added.
Furthermore, he “two-times” the Secret Service, “almost like a double agent,” she said.
Defense attorney Martin Weinberg argued in court documents and again in court Thursday that Gonzalez should be sentenced to 15 years.
While the government referred to the cases as “identity theft,” they were instead thefts of data that did not involve stealing victims’ identities to “invade their bank accounts, withdraw money, and ruin their credit,” according to a court filing, which Weinberg reiterated Thursday.
Furthermore, Gonzalez “did not hack into government computer systems, he did not crash computer systems by spreading viruses or inundating them with spam, and he did not invade the privacy of individuals’ computers to steal such data as passwords to compromise their financial life and invade their personal property,” Weinberg wrote in the court document.
The defense had further argued that Gonzalez was a substance-abusing Internet addict with Asperger’s syndrome — a form of autism — at the time of his crimes, so he should merit fewer years in prison.
Also, one of the three unrelated cases cited by the DOJ in making its argument for longer sentences — because there should be parity in sentencing similar crimes — was much worse than what Gonzalez did, Weinberg said in the filing.
He added to that in court that some of the most egregious white-collar criminals in recent memory, who stole peoples’ pensions and literally ruined lives, have not received sentences as long as 25 years.
At issue Thursday was the thorny subject of determining how many victims there were of Gonzalez’s computer thievery. The judge interrupted arguments by the attorneys to ask if there is any way to know financial figures or anything about “individuals” who were harmed.
While the companies and financial institutions that were affected are known, putting actual human faces and dollar amounts on the crimes is not something that may ever be possible, it was agreed.
Indeed, the issue of restitution was set aside for a separate hearing on June 25, to give the DOJ and others involved in the case time to come up with a total figure.
Judge Saris said that she is likely to have to determine an amount of restitution and then leave the rest of the damages companies hope to recover to lawsuits.
Heartland has already agreed to multimillion-dollar settlements with Visa and American Express for damages in the hacking thefts.
Gonzalez forfeited more than $1 million that can be used as restitution, however, “you’re never possibly going to be paying all that I’m ordering,” said Saris, who levied a $25,000 fine Thursday and deferred remaining issues of restitution until the June hearing.
But the fact that he turned over the stashed money and that he seems remorseful were among the reasons she imposed sentences in the middle of the range, she said, adding that there were other factors she took into account that she could not disclose in the public sentencing hearing because that information is under court seal.
Judge Saris would like to see Gonzalez someday be released from prison and find work so that he can pay back some of what he stole from victims, she said. Along those lines, after he is released, he will be supervised by the court for three years, during which time he will not be allowed to use the Internet.
His use of electronics will be monitored and he will have to undergo drug and alcohol testing. While the DOJ had suggested a prohibition on the use of all electronics, Judge Saris was skeptical of how that could be applied, particularly almost two decades from now. (Gonzalez will get credit for time served.)
“By the time he gets out in 20 years, there may not be landlines,” she said, recommending that mobile phones be excluded from the prohibition.
On the other hand, she also has seen hackers she’s sentenced show back up in court after they’ve been released. “I do think there is a chance of recidivism here,” she said, noting that such criminals often find the lure irresistible.
In fact, when he addressed the court, Gonzalez said that he was not motivated by greed or other foul intent, but by simple “curiosity” and “my addiction.”
Federal prosecutors, however, painted a much different portrait of him. “Albert Gonzalez was motivated by ego, challenge and greed and was proud of the national attention his computer intrusions and data thefts drew,” the DOJ said in its sentencing filing.
“They drew that attention because they victimized more people than anyone had ever done before in this country, caused hundreds of millions of dollars in losses, and shook the public’s trust in the security of credit and debit card transactions at some of the country’s largest institutions.
“Gonzalez already has been given a second chance. He used that second chance not to straighten out his life, but to provide cover as [he has] committed ever more brash and destructive crimes.”