The computer hacker behind the theft of more than 40 million credit card numbers from retailers such as The TJX Cos. Inc. pleaded guilty on Friday in one of the largest U.S. identify theft cases.
Albert Gonzalez faces up to 25 years in prison after separate plea agreements with federal prosecutors in New York and Boston.
Gonzalez, a 28-year-old Miami resident, was indicted in New York in May 2008 on charges related to a security breach at Dave & Buster’s restaurants. Prosecutors filed additional charges in August 2008 related to security breaches at TJX, DSW Inc., Forever 21 Inc. and other retailers.
TJX, the largest target in the Boston indictment, acknowledged its networks had been compromised in January 2007.
In the Boston case, Gonzalez pleaded guilty to 19 counts of computer, wire and access device fraud; conspiracy, and aggravated identity theft and faces 15 to 25 years in prison. In New York, he pleaded guilty to one count of conspiracy to commit wire fraud and faces a maximum 20-year sentence. His prison terms will run concurrently, authorities said.
In addition, Gonzalez faces a fine of as much as $250,000 per charge. He agreed to forfeit assets, including his Miami condominium, a 2006 BMW and more than $2.7 million, $1 million of which he had buried in his backyard, prosecutors said.
Sentencing is scheduled for Dec. 8.
According to the indictments, Gonzalez, who had been an informant helping the Secret Service find other hackers, led a group of co-conspirators that hacked into retailers’ wireless networks and installed software to capture consumers’ data. The group then sold the numbers or imprinted the information on blank cards and fraudulently withdrew cash from ATMs.
Gonzalez is still under indictment in New Jersey, where the Justice Department charged him last month in the theft of an additional 130 million credit and debit card numbers from 7-Eleven Inc., Heartland Payment Systems and Hannaford Brothers Co. Inc.