TJX Hacker Sentenced To 20 Years

In a clear signal of how serious authorities are now regarding cyber crime, the man behind some of the most infamous hacks of recent times has been sentenced to 20 years in prison.

Albert Gonzalez, 28, pleaded guilty in 2009 to charges in Massachusetts, New York and New Jersey and faced as many as 25 years behind bars for hacking several major retailers, including BJ’s Wholesale Club, TJX Companies and OfficeMax. Gonzalez still faces sentencing for involvement in a slew of other breaches, including the compromise of millions of credit cards in the Heartland Payment Systems breach.

The sentence is the longest ever imposed in a hacking or identity theft case. Gonzalez’s lawyer reportedly argued for leniency, stating that Gonzalez exhibited behaviour consistent with Asperger’s Syndrome. Prosecutors meanwhile sought a 25-year sentence on the grounds that Gonzalez’s crew “shook a portion of our financial system” and a stiff sentence would serve as a deterrent.

The Gonzalez cases helped invigorate discussions about compliance with PCI DSS (the Payment Card Industry Data Security Standard) and the fact that annual compliance audits are only snapshots in time, not the be-all and end-all of security.

“PCI remains the most successful cyber-security mandate today, but as we all know, achieving compliance doesn’t always mean achieving security,” said Amichai Shulman, CTO of Imperva. “The Gonzalez attacks are a case in point. Companies should look to the PCI council to help them better define and implement policies and technologies that protect sensitive data, and should always strive to improve and enhance their data security practices to meet or exceed industry standards.”

Michael Maloof, CTO of TriGeo Network Security, was optimistic the sentence would send a clear message to cyber-criminals.

“If you use a computer to steal or provide tools that encourage others to steal, you will go to jail – hopefully, for a very, very long time,” Maloof said.