End of Road for Hacker in Record Credit Card Theft

By Eva Norlyk Smith, Ph.D.

Authorities came one step closer to closing the chapter on the largest ever credit card theft in the U.S. on Tuesday, when Alberto Gonzales, a 28 year-old Florida resident, pleaded guilty to two counts of conspiracy in a federal court in Boston.

Together with his co-conspirators, Gonzales in 2008 masterminded data breaches at New Jersey-based Heartland Payment Systems, Inc., along with retailers 7-Eleven, Inc., and Hannaford Brothers Co. which compromised an estimated 130 million credit and debit card numbers. Prosecutors described the break-in as the largest ever data breach in U.S. history.

Gonzales in September also pleaded guilty to 19 counts of conspiracy, wire fraud, computer fraud and more for his role in engineering a series of cyber break-ins into several major U.S. retailers, including TJX, the parent of TJMaxx, and Marshall’s stores. Those cyber thefts are thought to have netted the hackers more than 40 million credit card numbers.

For Gonzales, it was the end of a long journey, which began in a drug and alcohol addiction at the age of 16 and led through a stint as an informant for the U.S. Secret Service, where he was engaged to help the agency track down hackers. At the same time, however, he was passing on sensitive information about ongoing investigations to other hackers. Gonzales used the proceeds from his operations to fund his drug use and a lavish lifestyle, once throwing a $75,000 birthday party for himself. According to the Boston Globe, Gonzales was addicted to the Internet, and he may have Asperger syndrome, an autism-like disorder characterized by poor social skills, high intelligence, and a few almost obsessive interests, which in Gonzales case included a passion for hacking. Numerous early attempts from his parents and school to discourage hacking were unsuccessful.

Gonzales now faces between 17 and 25 years in prison, under the terms of the plea agreement; he originally could have been sentenced to up to 35 years in prison. Sentencing for both cases is scheduled for March 18 and 19, and will take place in Boston, where Gonzales currently is in custody.

The case is a sobering reminder about just how vulnerable computer security systems storing millions of credit card numbers and other sensitive financial data often are. The hacker ring penetrated the computer security systems of the retailers involved by exploiting vulnerabilities in their wireless Internet signals. They then installed so-called “sniffer programs” to siphon off credit and debit card numbers moving through the credit card processing networks. Gonzales provided the servers used by other hackers to break into the wireless system and tested the malware used to ensure it would avoid detection by the computer systems’ antivirus programs.

Many of the retailers targeted have since been sued for damages and criticized for having too lax security measures, particularly taking too long to deploy a newer and more advanced security encryption protocol in their computer systems.

Data security breaches have been on the rise, increasing by 47% from 2007 to 2008, according to the non-profit organization Identity Theft Resource Center. By July of 2009, 310 security breaches had been reported, including a break-in at Network Solutions, where hackers compromised credit card information and other personal information for more than 4,000 e-commerce sites.

Published: December 30, 2009