Hacker Gonzalez Sentenced to 20 Years for Exploits
The sentence imposed by U.S. District Court Judge Douglas P. Woodlock was for Gonzalez's role in a hacking ring that broke into computer networks of Heartland Payment Systems, which processed credit and debit card transactions for Visa and American Express, Hannaford Supermarkets and 7-Eleven. The sentence is actually 20 years and one day, owing to the need to deal with peculiarities in sentencing statutes, because Woodlock had to take into account that Gonzalez was on pretrial release for an unrelated crime when he took up with the international network of hackers responsible for the security breaches. He was at the time supposed to be serving as an informant for the U.S. Secret Service, but he double-crossed the agency, supplying a co-conspirator with information obtained as part of those investigations.
"I am guilty of these crimes ... I accept full responsibility for these actions," Gonzalez said at the sentencing, reiterating what he said Thursday about "exploiting" his relationship with a government agency, though he did not name it. He also referred to the "dishonor" he brought to his parents and their home, where he buried more than US$1 million in the backyard. He forfeited that money, as well as other goods, when he was arrested.
"I plead for leniency," he said. "I understand that the road to redemption is going to be long for me," adding that it was his hope, however, that he would be able to be on that road someday.
Sentenced Earlier as Well
The sentence will run concurrently with two other 20-year concurrent sentences meted out Thursday, also in the U.S. District Court for the District of Massachusetts, by a different federal judge, Patti B. Saris. Gonzalez pleaded guilty in all three cases last December, with the U.S. Department of Justice agreeing to seek no more than 25 years in prison in each case, all to run concurrently.
Gonzalez, 28, was living in Miami at the time of the crimes in the three cases, which occurred over almost two years before he was arrested in May of 2008 and subsequently indicted in New York, New Jersey and Massachusetts, with the cases eventually being moved to the same federal court jurisdiction. Besides the companies targeted in the case heard Friday, a ring that Gonzalez led hacked into computer networks of major retailers including TJX, DSW, Barnes & Noble, Office Max and Dave & Buster's. They stole tens of millions of credit and debit card numbers, using some to make withdrawals at ATM machines and selling millions of the numbers to other criminals, in what prosecutors termed "unparalleled" online theft.
The case before Judge Woodlock differed from those heard by Judge Saris in a number of substantive ways, according to both Assistant U.S. Attorney Stephen Heymann and defense attorney Martin Weinberg. First, Gonzalez was not the leader of the international network of hackers, as he was with the cybercrime group that hacked the retailers and the Dave & Buster's restaurant network.
In the group where he was the mastermind, the criminals knew each other personally, in some instances having gone to school together and socialized together. Most of their hacking was done in cars or when the criminals were physically near a location, breaching networks wirelessly to steal information. In contrast, the international ring came together through connections made only in cyberspace, with no real hierarchical structure. They were a group of "elite international hackers ... moving seamlessly over international borders," Heymann said.
The international group used more sophisticated SQL injection attacks and had advanced from hacking into retailers' systems to attacking the financial system itself, Heymann said to answer questions from Judge Woodlock, who sought an explanation for differences between the cases. "It acts like a tremor," rippling through the system and shaking the faith of people in credit and debit card transactions and companies. Customers can choose to not shop with a retailer whose system has been proven vulnerable to hackers, but that's not so easy to do when the companies under attack are those that process payments.
That international aspect and the way in which the cyberthieves connected made the case before Judge Woodlock particularly "dangerous" and part of an increasingly sophisticated approach to cybercrime that is particularly troubling to law enforcement agencies, Heymann noted.
While Judge Woodlock took all of that in, he also said that he believed that Judge Saris' sentences were reasonable and that it would be appropriate for him to impose the same number of years. After doing so, he offered advice to Gonzalez, whose intelligence and "gifts" the judge recognized.
"People with your gifts often find themselves dealing obsessively with computers," he said, adding that Gonzalez misapplied his abilities, and that while "the perception is that there's no harm if you don't see the people," the judge had heard from some of those affected in victim impact statements. He was especially taken by an elderly couple whose lives were badly disrupted when their private information was obtained through hacking into the Hannaford system. And so it was his duty, Judge Woodlock said, to address the issue of deterrence and to impose a sentence that would send a message to other cybercriminals and would-be cybercriminals.
"You're going to lose the middle part of your life because of this," he told Gonzalez. "You're in your middle 20s, you'll be in your middle 40s when you get out. You'll feel that. ... This is real time. And it's meant to deliver a message to others."
That wasn't the only message the judge delivered.
In a major twist to the case -- and all three cases have been full of twists and turns -- the sentencing hearing opened with Judge Woodlock taking up issues related to sealed court documents in the case dealing with two unnamed payment-processing companies whose security systems Gonzalez breached, also by SQL injection attacks, and planted malware on in November of 2007. Those companies -- referred to in documents and in court Friday as "Company A" and "Company B" -- sought protective orders under the Massachusetts law that protects victims' rights.
The DOJ had agreed when the indictments were prepared that the companies would remain unnamed because neither one has publicly disclosed the breaches. Attorneys for the companies each argued -- unconvincingly as it turned out -- that because no customer data was stolen or ever used by criminals that they had no legal obligation to make the breaches known. They further argued that the companies they represent have a right to privacy.
Judge Woodlock clearly was not buying that argument from the get-go, declaring outright that in his view companies have no such right even though such notions are "in the air these days." He made obvious references to a recent controversial U.S. Supreme Court ruling that said otherwise when it comes to corporate rights. But at least in Judge Woodlock's courtroom, such rights will not be conferred -- he intends to unseal the court documents and therefore publicly name the two companies because shareholders and customers have a right to know that their security systems were, even if they are not now, vulnerable.
He also was not moved by the argument that the breaches occurred long enough ago that it's no longer relevant to let customers know that they occurred. "They've had three years to alert their shareholding public -- they've chosen not to, improvidently," he said.
Financial Loss Unclear
The two companies will not be part of whatever restitution agreement is reached in the case because they did not suffer financial losses. The matter of restitution was not taken up by Judge Woodlock and will be combined with restitution in the cases before Judge Saris.
Exactly how much financial damage was done may never be fully known, but the effects on companies involved were severe enough to warrant filings with the U.S. Securities and Exchange Commission. And Heartland, for instance, says it lost nearly $130 million because of the security breaches. Heartland agreed to multimillion-dollar settlements with Visa and American Express for damages incurred by those companies in the thefts, which set off a reappraisal of corporate network security overall and prompted widespread changes as businesses sought to shore up security. As Heymann noted, the efforts of Gonzalez's hacking ring also led the companies involved on a wild chase to close back doors and other entry points that the hackers exploited to access systems, which cost them yet more money.
A restitution hearing was set by Judge Saris for June 25.
And while the companies involved will be engaged in figuring out what to tell the court about how much they lost financially, the loss for Gonzalez's family was evident in the courtroom Thursday and Friday. His parents and sister attended the hearings -- he sought them out when he entered the courtoom to offer them a smile, and Friday as he was led out, as they wiped tears away, he mouthed a "good-bye" to them.