Hacker Pleads Guilty In Major Identify Theft

A hacker accused of stealing tens of millions of credit and debit card numbers in one of the largest computer break-ins in U.S. history pleaded guilty Friday to fraud, identity theft and other charges.

As part of a plea agreement with federal prosecutors, Albert Gonzalez, 28, of Miami, also agreed to forfeit more than $2.7 million, a Miami condo, a 2006 BMW 330i, a Tiffany diamond ring and Rolex watches. He faces up to 20 years in prison and is scheduled to be sentenced Dec. 8

Gonzalez pleaded guilty in a Boston federal court to 20 counts of conspiracy, computer fraud, wire fraud, access device fraud and aggravated identity theft. Nineteen of the charges were contained in an indictment handed down in Massachusetts in August 2008, and one charge, conspiracy to commit wire fraud, stemmed from a New York indictment handed down in May 2008.

The Massachusetts charges stemmed from the hacks into numerous major U.S. retailers, including TJX Companies, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble and Sports Authority. In New York, the charge was related to hacks into the Dave & Buster's restaurant chain. More than 40 million credit and debit card numbers were stolen from the retailers, according to federal prosecutors.

Gonzalez and two unidentified co-conspirators located in or near Russia broke into credit-card payment systems through a series of sophisticated techniques, including "wardriving" and the installation of sniffer programs to capture credit and debit card numbers, according to the indictments. Wardriving involves driving around in a car with a laptop to find accessible wireless computer networks in retail stores.

Gonzalez and his co-conspirators sold the numbers and also engaged in ATM fraud by encoding the data on the magnetic strips of blank cards and withdrawing tens of thousands of dollars at a time, according to the indictments. Gonzalez and the others concealed and laundered the money they received through the Web and by channeling funds through bank accounts in Eastern Europe.

"Technology has forever changed the way we do business, virtually erasing geographic boundaries," U.S. Secret Service Director Mark Sullivan said in a Justice Department statement announcing the guilty plea. "However, this case demonstrates that even in the cyber world, there is no such thing as anonymity."

Gonzalez faces a third federal indictment handed down in New Jersey last month. He's accused of stealing credit and debit card numbers from major U.S. retail and financial companies in the state, including Heartland Payment Systems, a New Jersey-based card payment processor; 7-Eleven Inc., a Texas-based nationwide convenience store chain; and Hannaford Brothers Co. Inc., a Maine-based supermarket chain. That case is pending.

InformationWeek Analytics has published an independent analysis on data-loss prevention. Download the report here (registration required).