TJX hacker sent to jail for 20 years after stealing 40 million credit cards

Albert GonzalezAlbert Gonzalez, the 28-year-old college drop out who was the mastermind of a hacking ring that stole over 40 million credit and debit card numbers from retailers including TJ Maxx, Barnes & Noble and BJ’s Wholesale Club, has been sent to jail for 20 years.

Miami-based Gonzalez, who went by the handle of “Sevgec”, was the ringleader behind what has been described as the single largest and most complex hacking and identity theft that has ever been prosecuted.

Gonzalez and a team of “wardriving” accomplices initially exploited insecure corporate wireless networks, gaining access to the communications of several retailers. Reports emerged in 2007, for instance, that the TJX data breach occurred because of weak WEP encryption in use at two of its Marshalls stores in Miami.

Once they had gained access, the hackers were able to install a packet sniffer on TJX’s network which was able to scoop up details of transactions in real-time, including the data stored on payment cards.

Another member of the gang, 25-year-old Ukranian Maksym Yastremskiy, also known as “Maksik”, was sentenced to 30 years in a Turkish prison in early 2009, after being found guilty of selling hundreds of thousands of the stolen credit card numbers and other personal information to the criminal underground.

Evidence found on Maksik’s computer systems helped build the case against Gonzalez, who was unsuccessful in convincing the court in Boston, Massachussetts, that he suffered from from Asperger’s syndrome or computer addiction.

News of the serious security breach was, of course, highly embarrassing for TJX and the other companies concerned – who must have worried that customers would lose confidence in their ability to securely hold their sensitive data.

Statement on TJX website

Twenty years is a breathtaking sentence for anyone to receive, but is particularly unusual for a computer crime. In fact it’s my belief that it’s the stiffest sentence ever given by a US court for hacking and identity theft.

Fascinatingly, it has been reported that Gonzalez was actually working for the US Secret Service as a “confidential informant” when they became aware of his involvement in the hacks against the TJX group of companies in 2007.

It seems to me that Gonzalez’s double-dealing (stealing information from big companies with one hand, while fighting crime with the Secret Service on the other) is clear evidence of his arrogance – believing that he would never be found out and punished.