September 11, 2009 was a landmark day in its own right. On this day, Alberto Gonzales, the hacker masterminding the cyber theft of more than 170M credit card numbers, pleaded guilty to 19 counts of computer and wire fraud, conspiracy, and aggravated identity theft.
The guilty plea is a first step toward closing the chapter on two of the largest ever instances of credit card fraud in U.S. history. Gonzales and his accomplishes hacked into the wireless networks of several large retailer chains, including discount retailer TJX Companies, lifting more than 40 million credit card numbers. The TJX breach was dwarfed only by the 130M credit cards stolen at New Jersey-based credit card processor Heartland Payment Systems, also by Gonzales and his accomplices. Gonzales and his co-conspirators sold the stolen credit card data over the Internet and used the proceeds to fund their lavish lifestyles.
Also known under the code name “the Soup Nazi,” Gonzales faces up to 25 years in prison for the TJX credit card theft. He is yet to face separate charges in New Jersey for the Heartland Payment Systems security breech, which could bring him another 25 years in prison.
While the apprehension of Gonzales represents a significant step forward for credit card security, the fall-out from the cyber theft at both TJX Companies and Heartland Payment Systems will continue for years to come. Consumers who had their credit card numbers, interestingly, are the least affected. The credit card industry protects consumers against most instances of credit card fraud by picking up the tab for fraudulent charges. (Consumers still have the headache of having to discover and report false charges, get them refunded, and get replacement cards.)
Credit card companies and banks, however, lose a considerable amount of money in the aftermath of credit card theft. In the data breach at Heartland Payment Systems, some of the banks affected by the breach had to issue new cards to cardholders (to the tune of $5 to $30 per card), and many offered free credit monitoring, in addition to absorbing the losses of cards that were fraudulently used.
Massachusetts-based Lowell Five Cent Savings Bank, for example, had to spend $40,000-50,000 to prevent fraudulent use of more than 3,300 of debit cards compromised in the security breach, according to The Boston Globe. For small community banks, this is a considerable expense, which most seek to recover by suing the companies where the security breach took place.
Both TJX and Heartland have faced a tidal wave of lawsuits from banks, individuals, and government agencies, which accuse them of not keeping their security measures up to standard. Heartland Payment Systems, for example, is being sued by credit card companies and other financial institutions seeking to recover expenses for reissuing debit and/or credit cards to their customers and for costs incurred due to fraudulent charges. In addition, Heartland is facing several class action law suits. The tab for TJX so far is estimated at $132 million, which includes the costs of settling lawsuits ($65 alone to banks issuing Visa and MasterCard credit cards) and the cost to investigate and remedy the security breach. The company expects to spend almost $40 million more to handle additional claims before the dust settles.
Meanwhile, Gonzales, now safely behind bars, feels very sorry and remorseful about what has happened, according to his lawyer. Gonzales’ belated feelings of remorse unfortunately will be scant comfort for consumers, banks and shareholders facing losses in the hundreds of millions dollars.
