TJX, Heartland Hacker Convicted and gets 20 Years!

October 10, 2010

Hacker Sentenced to 20 Years for Breach of Credit Card Processor * By Kim Zetter Email Author * March 26, 2010 | * 3:11 pm | * Categories: Breaches, Crime, Cybersecurity, Hacks and Cracks
BOSTON — Convicted TJX hacker Albert Gonzalez was sentenced to 20 years and a day, and fined $25,000 on Friday for his role in breaches into Heartland Payment Systems, 7-Eleven and other companies.

The sentence will run concurrently with a 20-year sentence he received on Thursday in two other cases involving hacks into TJX, Office Max, Dave & Busters restaurants and others, so it adds only one day to his total prison term. Restitution will be decided at a future hearing.

“I understand the road to redemption will be long,” said Gonzalez, 28, before the sentence was pronounced. soup_nazi-2001-defcon1

Albert Gonzalez at the 2001 DefCon hackers' convention in Las Vegas

Gonzalez, who once dubbed his criminal enterprise “Operation Get Rich or Die Tryin’,” had faced a sentence of between 17 and 25 years for the intrusions.

He was indicted last August — along with two unnamed East European hackers known only as “Grigg” and “Annex” — on charges of hacking into Heartland Payment Systems, a New Jersey card-processing company, as well as Hannaford Brothers supermarket chain, 7-Eleven and two unnamed national retailers.

Lawyers representing the two unnamed companies spent 30 minutes Friday trying to persuade the court not to unseal documents identifying those retailers, who suffered breaches, but no known loss of sensitive customer data. In the end, U.S. District Judge Douglas Woodlock ordered the documents unsealed, paving the way for the companies to be identified. [Update: One of the companies has been confirmed as JC Penney, by the blog Storefront Backtalk, which reported last year that the company was believed to be among the targets. The second company is Wet Seal.]

According to the government, Gonzalez and an uncharged conspirator found the targets on a list of Fortune 500 companies and then did reconnaissance to determine the payment-processing systems they used. They then uncovered vulnerabilities in the systems they could exploit.

Using a SQL-injection attack, the hackers broke into the 7-Eleven network in August 2007, stealing an undetermined amount of card data. They used the same kind of attack to infiltrate Hannaford Brothers in November 2007, which resulted in 4.2 million stolen debit and credit card numbers; and into Heartland on Dec. 26, 2007. Of the two unnamed national retailers mentioned in the affidavit, one was breached on Oct. 23, 2007, and the other sometime around January 2008.

Once on the networks, the hackers installed back doors to provide them with continued access. They tested their malware against 20 different antivirus programs to make sure they wouldn’t be detected, and also programmed the malware to erase evidence from the hacked networks to avoid forensic detection.

The initial breach into Heartland was confined to the company’s corporate network, which was separate from its card-processing network. But by May 2008, the hackers had jumped to the processing network. Heartland discovered the hackers on its network only in January 2009 after being told by credit card companies that it might have been breached.

According to prosecutors, the breach of Heartland and Hannaford resulted in a data theft on 130 million credit and debit cards. The company claimed losses of $130 million.

Although Gonzalez pleaded guilty to the charges, his attorney said in a sentencing memo that he played only a peripheral role in this case, as opposed to the ringleader role he played in the TJX hack.

According to the memo, the intrusions and data theft in this case were conducted by “Grigg” and “Annex,” and Gonzalez learned of the breach only after the fact. He also did not participate in the sale of the stolen card data “nor did he profit from any of the intrusions at issue in this case.”

His only role was to provide the hackers “with certain services he controlled” and to ask another hacker to modify malware that one of the East European hackers might have designed.

He had only “minor and insignificant” involvement in the 7-Eleven intrusion as well. For this reason, he should receive the minimum sentence, his attorney argued.

Gonzalez’s crimes were committed mostly between 2005 and 2008 while he was drawing a $75,000 salary working for the U.S. Secret Service as a paid undercover informant.

“It would take an enormous number of robberies to capture the amount of money” stolen by Gonzalez and his crew, Woodlock told the hacker. “This is real time. And it’s meant to deliver a message to others.”


Read More
  • Request a quote

    SPIguard offers very competitive pricing for all its services. Call or email us to have one of our team members contact you with a quote.
  • Contact

    Suite 200 – 100 Park Royal South,
    West Vancouver, BC, V7T 1A2
    (604) 684-5671
    (604) 684-5676

    Contact Form