| Remember Albert Gonzalez? He’s someone whom CIOs, CSOs and anyone else involved protecting companies against identity theft aren’t likely to forget soon.
On Thursday a federal judge in Boston sentenced Gonzalez, the head of what prosecutors call the largest identity theft ever, to a 20-year prison sentence.
Last August, federal prosecutors charged 28-year-old Gonzalez, whose online handles included “soupnazi,” with breaking into the computer networks of major retailers and financial institutions and stealing data from upwards of 130 million credit and debit cards. He resold the information.
“The scope is massive,” Assistant US Attorney Erez Liebermann said when Gonzalez was charged. “The guy worked very, very hard at something he was very good at.”
He was also very, very well compensated. The feds estimate he amassed $2.8 million, $1.1 million of which was found buried in his parents’ backyard in Miami. Another $400,000 was discovered in his South Beach hotel room, according to Tom Elfrink’s blog in the Miami New Times.
The list of Gonzalez’s victims includes Maine-based supermarket chain Hannaford Brothers, 7-Eleven, BostonMarket, TJX Cos. BJ’s Wholesale Club, OfficeMax, Barnes & Noble, Sports Authority and the Dave and Busier restaurant chain. There may have been others, but you get the idea. This guy’s been called the Al Capone of computer crime, but Capone never pulled off anything so ambitious.
Now, with the soupnazi out of commission for 20 years, the guardians of corporate data can presumably breath a little easier. His case helped bring about a new data security law in Massachusetts to help defer future theft. And his major heist -- the so-called TJX breach -- has become a worst-case scenario case history. And for good reason. The data breaches could end up costing TJX over $1 billion, according to some estimates
.
Even with Gonzalez secured in a cell block, however, a number of disturbing questions remain about this case. The members of Gonzalez's ring have variously been identified as including a Urkainian jet setter, several Russians, a Morgan Stanley software engineer, and hackers from Estonia, China and Belarus. In fact, of the eleven indicted, only three were U.S. citizens.
In addition, the data Gonzalez and his crew stole was either sold to criminal gangs in Eastern Europe and elsewhere or used by Gonzalez and his crew to create fraudulent cards for their own use.
Question: How does a 28-year old hacker from Miami, no matter how brilliant, pull together an international team of identity theft profiteers? One scenario that at least is worth consideration: Gonzalez is a figurehead, perhaps for the Russian mob. If that’s the case, the danger of data breaches of breath-taking magnitude won’t disappear with Albert Gonzalez.
|
