A sophisticated hacker pleaded guilty today to conspiring to hack into computer networks supporting major American retail and financial organizations, and to steal data relating to tens of millions of credit and debit cards in a case that the Justice Department said is one of the largest data breaches ever investigated and prosecuted in the United States.
Albert Gonzalez, 28, of Miami, a onetime Secret Service informant, pleaded guilty to two counts of conspiracy to gain unauthorized access to the payment card networks operated by, among others, Heartland Payment Systems, a New Jersey-based card processor; 7-Eleven, a Texas-based nationwide convenience store chain; and Hannaford Brothers Co. Inc., a Maine-based supermarket chain, according to a Justice Department statement. Several codefendants have already pleaded guilty.
The plea was entered in federal court in Boston.
Justice Department officials had announced news of a plea agreement with Gonzalez covering charges in New York and Massachusetts in August, though at the time, the deal did not mention the New Jersey charges. See earlier BLT posts on the case here and here.
Lanny Breuer, assistant attorney general of the criminal division, said in a statement that hackers such as Gonzalez "will be caught, exposed and held to account...even the most sophisticated hacking rings can be uncovered and dismantled, as our prosecutors and agents demonstrated in this case.”
The Justice Department statement said that according to information in Gonzalez' plea agreement, Gonzalez gave other hackers access to servers he controlled, knowing they would use to store malware and for attacks, among other things.
Gonzalez pleaded guilty in September 2009 in Boston to 19 counts of conspiracy, computer fraud, wire fraud, access device fraud and aggravated identity theft relating to hacks into numerous major U.S. retailers including TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble and Sports Authority. Gonzalez also pleaded guilty in September 2009 in Boston to one count of conspiracy to commit wire fraud relating to hacks into the Dave & Buster’s restaurant chain, which were the subject of a May 2008 indictment in the Eastern District of New York.
The Justice Department said that as part of the plea agreement with the government, the New Jersey case was transferred to the District of Massachusetts for plea and sentencing. According to the terms of the New Jersey plea agreement, the parties agree that Gonzalez’ sentence in the New Jersey case should run concurrently with the sentence imposed in the Boston and New York cases. Gonzalez is in federal custody. Sentencing in the Boston and New York cases is currently scheduled for March 18, 2010, in Boston. Sentencing in the New Jersey case is scheduled for March 19, 2010.
Based on the terms of the plea agreement, Gonzalez will not seek a prison term under 17 years and the government will not seek a prison term of more than 25 years.
His lawyers, Miami solo practitioner Rene Palomino Jr. and Boston solo practitioner Martin Weinberg, could not immediately be reached for comment.