Updated 4:45 p.m.
A sophisticated computer hacker who allegedly participated in a conspiracy that netted more than 40 million credit and debit card accounts from at least nine corporations has agreed to plead guilty to wire fraud and conspiracy charges in federal court in Boston, capping one of the largest-ever identity theft prosecutions, Justice Department officials said Friday.
Albert Gonzalez, 28, a Miami native and one-time Secret Service informant, is scheduled to plead guilty in U.S. District Court for the District of Massachusetts next month, according to a plea agreement filed Friday.
Several other codefendants in the Boston case have already pleaded guilty for having roles in the cyber fraud conspiracy that struck several retailers including Barnes & Noble, Sports Authority and, TJX Companies, which owns discount clothing stores T.J. Maxx and Marshalls. TJX has claimed in court papers that it incurred more than $130 million in losses stemming from the intrusion.
According to the plea agreement, Gonzalez will also plead guilty to similar charges in the U.S. District Court for the Eastern District of New York. Gonzalez was indicted in New York in May 2008 for allegedly breaking into the computer system of Dave & Buster’s restaurant chain. That case was scheduled to go to trial next month.
The deal does not mention any agreement regarding a third case filed Aug. 17 against Gonzalez in the U.S. District Court for the District of New Jersey. Prosecutors in New Jersey allege Gonzalez and two unnamed Russian co-conspirators stole more than 130 million credit and debit cards from corporate victims that include 7-Eleven and Heartland Payment Systems, one of the country’s largest credit and debit card processing companies.
In the Boston and New York prosecutions, Gonzalez agreed to a sentence between 15 and 25 years, according to the agreement filed Friday. The sentence will run concurrent to any sentence that is imposed in the pending case in New Jersey, according to court papers.
Prosecutors said a fine against Gonzalez will be determined at the time of his sentencing. His lawyer, Miami solo practitioner Rene Palomino Jr., was not immediately reached for comment. Local counsel in Boston for Gonzalez, Martin Weinberg, a solo practitioner, declined to comment.
Gonzalez agreed to forfeit assets that include more than $2.7 million, a condominium in Miami, a 2006 BMW, three Rolex watches and a Tiffany & Co. diamond ring he gave to a woman as a gift, court records show.
The prosecution of Gonzalez has been closely watched by defense lawyers and corporate attorneys given the sheer size of the cases, the involvement of Fortune 500 companies, and the extraordinary measures the government has taken to control its evidence.
Prosecutors fought for restrictions on what evidence Gonzalez and his legal team could see and required a record be kept of any material Gonzalez has looked at, claiming he might use it to commit other crimes.
The Justice Department and Secret Service even created new technology—spending $150,000 at Carnegie Mellon University in Pittsburgh for a secure database—to hold the billions of files containing names, passwords, account numbers, and corporate network data that make up the bulk of electronic evidence being gathered in the case.
In March, assistant U.S. attorney Stephen Heymann noted in court papers filed in the Boston case that Gonzalez was recorded on a phone call from prison telling an associate to destroy a paper copy of a contacts list but keep the electronic version of it.
“The potential risk of misuse of the electronic discovery materials by the defendant is demonstrably high, and the potential cost to individuals and corporations that the defendant has already victimized is equally high,” Heymann said in court papers.
Gonzalez’s lawyers complained that the restrictions would hurt their client’s ability to defend himself, but they ultimately agreed to several concessions, including keeping track of the material Gonzalez had viewed.
Gonzalez’s lawyer Weinberg, in an interview with The National Law Journal before the plea deal was announced, said the Gonzalez case “is a window into our future.”
“This case stands at the dawn of the criminal justice system’s response to the unique demands generated by computers and the Internet,” he said, noting that Congress has not created statutory protections for stolen credit card data as it has for child pornography and classified intelligence.
Former prosecutors say they aren’t surprised by the government’s posture regarding evidence in this case.
“The government is going to push for maximum restrictions. Given the scope of the allegations it would certainly call for unusual measures,” said Eugene, Oregon defense lawyer Joseph Metcalfe, a former prosecutor in the Justice Department’s Computer Crime and Intellectual Property Section.
And it wasn’t just prosecutors who were trying to control Gonzalez’s access to information. Lawyers for TJX told a judge that allowing Gonzalez access to its trade secrets could expose the company to further computer attacks.
TJX’s lawyer, Ropes & Gray partner Samuel Buffone, said in said in court papers that the intrusion had an “extremely serious” impact on the company through “litigation, claims, and investigations, as well as damage to its reputation and customers’ concerns about shopping at its stores.” TJX cooperated in the investigation and prosecution of Gonzalez.
In December 2007, TJX and its Cincinnati-based merchant bank, Fifth Third Bancorp, finalized a $41 million out-of-court agreement, settling claims brought by financial institutions for the expenses they incurred replacing the cards. TJX announced in June that it settled for $9.75 million with 41 states to resolve allegations that the company failed to take sufficient steps to protect customer information.
One of the companies at the center of the New Jersey prosecution is currently fighting civil suits over the data breach.
Heartland Payment Systems, whose payment processing system was allegedly hacked by Gonzalez in December 2007, is facing consolidated class actions from individual consumers and banks, among other plaintiffs, in the U.S. District Court for the Southern District of Texas.
“If the numbers pan out, this will certainly be the largest data breach in the history of the universe—to date,” said Richard Coffmann, a solo practitioner in Beaumont, Texas, who is co-lead counsel for a group of banks suing Heartland.