BOSTON — Convicted TJX hacker Albert Gonzalez was sentenced to 20 years in prison on Thursday for leading a gang of cyberthieves who stole more than 90 million credit and debit card numbers from TJX and other retailers.
The sentence for the largest computer-crime case ever prosecuted is the lengthiest ever imposed in the United States for hacking or identity-theft. Gonzalez was also fined $25,000. Restitution, which will likely be in the tens of millions, was not decided Thursday.
Clean-cut, wearing a beige jail uniform and wireframe glasses, the 28-year-old Gonzalez sat motionless at his chair during Thursday’s proceedings, his hands folded in front of him.
Before the sentence was pronounced, Gonzalez told the court he deeply regrets his crimes, and is remorseful for having taken advantage of the personal relationships he’d forged. “Particularly one I had with a certain government agency … that gave me a second chance in life,” said the hacker, who had worked as a paid informant for the Secret Service. “I blame nobody but myself.”
“I violated the sanctity of my parents’ home by using it to stash illegal proceeds,” said Gonzalez. He asked for a lower sentence “so I can one day prove to [my family] that I love them as much as they love me.”
The hacker’s voice cracked and his gaze drifted to the floor as he finished his statement. His father, mother and sister sat in the front row of the gallery; Gonzalez’s father’s eyes reddened and he held a tissue to his face.
Gonzalez, who once dubbed his criminal enterprise “Operation Get Rich or Die Tryin’,” had argued in court filings that his only motive was technical curiosity and an obsession with conquering computer networks. But chat logs the government obtained showed Gonzalez confiding in one of his accomplices that his goal was to earn $15 million from his schemes, buy a yacht and then retire.
The hacker had faced a sentence of between 15 and 25 years for the TJX string of intrusions. The government sought the maximum, while Gonzalez sought the minimum, on grounds that he suffered from Asperger’s disorder and computer addiction, and that he cooperated with the government extensively against his U.S. co-conspirators and two Eastern European hackers (known only as “Grigg” and “Annex”). Gonzalez even provided the government with information about breaches that had not yet been detected.
Albert Gonzalez at the 2001 DefCon hackers' convention in Las Vegas
A psychiatrist who examined Gonzalez for prosecutors, however, found no evidence of Asperger’s disorder or computer addiction. At Thursday’s hearing, assistant U.S. attorney Stephen Heymann urged the court to hand down a 25-year sentence that would strongly deter future Albert Gonzalezes from a life of cybercrime.
Gonzalez “conned law enforcement once before with the idea that he had seen the error of his ways,” said Heymann. “What matters is that teenagers and young people not look up to him.”
Defense attorney Martin Weinberg argued the minimum 15-year sentence would be sufficient to set an example. “That’s an enormous, devastating sentence … and a compelling and clear message to anyone looking at this case that they would suffer what he has suffered.”
In splitting the difference, U.S. District Judge Patti Saris credited Gonzalez for his apparent remorse, and his bond with his family. But Saris said she was disturbed by the fact that he committed his crimes while working for the government. She explained the low $25,000 fine by predicting her restitution order, to be set at a future hearing, will be sizable.
“You’re never possibly going to be paying back all the restitution that’s going to be ordered,” said Saris.
A computer security professional who sold Internet Explorer exploit code to credit card hacker Albert Gonzalez was sentenced Tuesday in Boston to three years probation and a $10,000 fine.
