But Gonzalez, 28, will serve only a total of 20 years because the latest ruling is concurrent with the first sentence, according to published reports.
Gonzalez's 20-year sentence, announced yesterday in U.S. District Court in Boston for stealing and selling payment card information in his hacking of TJX, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, and Dave & Busters restaurants, was the largest ever levied for a computer crime. It's considered the largest identity theft case ever in the U.S.
But it wasn't the maximum penalty he could have received: Gonzalez faced anywhere from 17 to 25 years behind bars.
Jeffrey Troy, acting deputy assistant director of the FBI's cyber division, says Gonzalez's big sentence was commensurate with the amount of damages the hacks incurred. The FBI's Troy says the outcome of the trial should make an impact on cybercriminals. "Sitting at a computer [and robbing a bank, for instance] should not give anybody an increased level of comfort that they are not going to be pursued by the authorities. They are going to be," Troy says.
In September, Gonzales admitted to the TJX breach, and later plead guilty to stealing data from Heartland Payment Systems, Hannaford Brothers, 7-Eleven, and Target Co.
Federal prosecutors say Gonzalez's crimes in the TJX case cost the companies and insurers nearly $200 million by his actions.
Gonzalez, also known as "segvec," soupnazi," and "j4guar17," conducted most of his dirty deeds during 2005 to 2008 while he served as a paid undercover informant for the U.S. Secret Service. He reportedly was paid a $75,000 salary by the agency. He had called his cybercrime enterprise "Operation Get Rich Or Die Tryin.'" In August, he was indicted, along with two Eastern Europeans for the hacks of Heartland, Hannaford Bros, 7-11, and two retailers who have not yet been revealed. Michael Maloof, CTO at TriGeo Network Security, says he was hoping for a major sentence for Gonzalez. "He was also a supplier, who made the tools and techniques" and sold them to others, Maloof says. "He was a cybercrime pusher and organizer."
But while the sentence should send a message, the Gonzalez case certainly won't be the last, according to Maloof. "I wish I could say crime doesn't pay. So many cybercriminals are not caught," he says. "But anything that might give someone pause so that they think twice before going down this path might help."
Gonzalez and his crew used classic and well-known hacking methods -- namely SQL injection, packet sniffing, and backdoor malware designed to evade detection -- that experts say could have been thwarted.
Specifically, Gonzalez allegedly provided his co-conspirators -- two of whom resided in Russia and another in Virginia Beach, Va. -- with SQL injection strings to use for hacking into the victims' networks. He also provided them with malware to plant inside the victims' systems that would serve as a backdoor for subsequent access. The attackers installed sniffers to capture credit and debit-card numbers and other card data. They wrote malware that could avoid detection by anti-virus software in order to remain under the radar. The stolen data was sent back to servers operated by the suspects that were located in California, Illinois, Latvia, the Netherlands, and Ukraine, according to the indictment.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.