TJX hacker sent to jail for 20 years after stealing 40 million credit cards

Filed Under: Data loss, Law & order, Malware

Albert GonzalezAlbert Gonzalez, the 28-year-old college drop out who was the mastermind of a hacking ring that stole over 40 million credit and debit card numbers from retailers including TJ Maxx, Barnes & Noble and BJ's Wholesale Club, has been sent to jail for 20 years.

Miami-based Gonzalez, who went by the handle of "Sevgec", was the ringleader behind what has been described as the single largest and most complex hacking and identity theft that has ever been prosecuted.

Gonzalez and a team of "wardriving" accomplices initially exploited insecure corporate wireless networks, gaining access to the communications of several retailers. Reports emerged in 2007, for instance, that the TJX data breach occurred because of weak WEP encryption in use at two of its Marshalls stores in Miami.

Once they had gained access, the hackers were able to install a packet sniffer on TJX's network which was able to scoop up details of transactions in real-time, including the data stored on payment cards.

Another member of the gang, 25-year-old Ukranian Maksym Yastremskiy, also known as "Maksik", was sentenced to 30 years in a Turkish prison in early 2009, after being found guilty of selling hundreds of thousands of the stolen credit card numbers and other personal information to the criminal underground.

Evidence found on Maksik's computer systems helped build the case against Gonzalez, who was unsuccessful in convincing the court in Boston, Massachussetts, that he suffered from from Asperger's syndrome or computer addiction.

News of the serious security breach was, of course, highly embarrassing for TJX and the other companies concerned - who must have worried that customers would lose confidence in their ability to securely hold their sensitive data.

Statement on TJX website

Twenty years is a breathtaking sentence for anyone to receive, but is particularly unusual for a computer crime. In fact it's my belief that it's the stiffest sentence ever given by a US court for hacking and identity theft.

Fascinatingly, it has been reported that Gonzalez was actually working for the US Secret Service as a "confidential informant" when they became aware of his involvement in the hacks against the TJX group of companies in 2007.

It seems to me that Gonzalez's double-dealing (stealing information from big companies with one hand, while fighting crime with the Secret Service on the other) is clear evidence of his arrogance - believing that he would never be found out and punished.

, ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley is an award-winning security blogger, and veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.