Who Is Albert Gonzalez?
The best way to understand a person’s motivation for committing a crime, is to look into their history. Cyber crime is no different. In this in-depth look at the online fraud case against Albert Gonzalez, we’ll get some insight into why he committed the largest identity fraud case in U.S. history. Albert started using computers at an early age, and while in high school, managed to hack into the government of India’s website. Sadly, he was not charged at this stage and only warned to stay away from computers for six months.
That was the first of many red flags in Albert’s troubled history with hacking. At the age of 19, he started his own group of hackers, named ShadowCrew, which trafficked over a million credit card numbers for use in online fraud. When the FBI finally managed to shut the group down, Albert was charged. However, he worked with the investigators and gave away vital information on his cohorts and did not need to serve a sentence. Albert has always been known as someone who had the abilities, but what was his motivation? Was it credibility in the online world? No, otherwise he wouldn’t have given up his cohorts so easily. Was it the need to be the best at what he does? No, otherwise he wouldn’t have formed a group to help him. Was it to help find vulnerabilities for companies so that he could swoop in and help? Absolutely not, he would’ve stopped well before he was selling credit cards, debit cards and social security numbers in the online black market.
One thing to always understand about cyber crime is that its not about credibility or trying to be the ‘best’, as movies would have you believe. In the end, the main motivator is greed and the motivation is financial gain. The weak security standards of large corporations in conjunction with slow to react cyber crime legislation around the world, the ‘why’ part of this equation is answered easily. Albert had the abilities and motivation to perform one of the largest online fraud cases in U.S. history.
How Did This Happen?
After two years worth of sensitive data and 45.6 million credit card and debit card numbers were compromised, TJX Companies notified the authorities of their data leakage. How could something so
large be unnoticed for so long? Was Albert smart enough to be able to evade security systems in place for TJX Companies? The simple answer is, no. TJX Companies, which operates discount stores such as T.J. Maxx and Marshall’s, was simply not prepared for a hacker to access their systems, like many companies. Starting in 2005, Albert started war driving and found non secure wireless networks on TJX Companies’ systems. Albert worked with others to find vulnerable servers to attack, infiltrate and later use to jumpbox into other more secure servers. From there, he and his conspirators were able to install malware and software for stealing data. TJX didn’t do their due diligence in hardening each of their servers, encrypting traffic and installing up-to-date anti-malware software.
Albert had the abilities to crack and hack his way through, but the low security measures didn’t help TJX. Like shooting fish in a barrel, Albert was able to install his malware and sniffing software onto the networks of TJX and all the stores operating under them, even outside of the United States. TJX discovered the breach in December of 2006 and was under the belief that they had only been losing data for the past six to seven months, dating back to May 2006. After further investigation, they found that they were losing sensitive data since 2005. Albert had already moved on to bigger and better operations by the time TJX had even started discovering the extent of their security breach.
TJX was only the beginning of this large online fraud case, read on to page 2 to see the next target that lost over 100 million credit card numbers…
Heartland Payment Systems
TJX wasn’t the only large company he was gathering and using sensitive information from, there was another large whale of a target,
Heartland Payment Systems. Heartland Payment Systems is a payment processor that runs millions of transactions for retail stores and restaurants, the next viable step for Albert. Albert Gonzalez may have possibly used TJX Companies as a testing ground to see the simplicity of corporate retail companies before jumping in towards Heartland. In 2008, he used the same tactics, this time with different compatriots, to once again find and attack vulnerable servers to jumpbox into more secure servers. From there he once again planted malware and sniffing software to start stealing data. This vicious and extremely rewarding operation was labeled as Operation Get Rich or Die Tryin’ by Albert. Was Heartland Payment Systems ready for the attack and ready to put Albert in the Die Tryin’ side of his operation, or would the outcome be similar to TJX Companies?
The outcome of the attack was Albert landing in the Get Rich bucket of his operation; Albert stole over 100 million credit card numbers in his scheme, adding onto his already large amount of numbers from the TJX escapade. His online fraud case was now the largest online fraud case in the world, with an incredible amount of information stolen from extremely large companies. Heartland Payment Systems didn’t discover their loss until after Albert was arrested for a separate crime and admitted to being involved in hacking TJX Companies and Heartland Payment Systems.
How Albert Was Caught and His Punishment
After stealing millions and millions of credit cards, living a wealthy and extravagant lifestyle at the expense of other people and avoiding jailtime, Albert was finally caught for making a simple mistake. It wasn’t a company wide investigation nor a security alert that brought this house of cards down, it was Albert and his crew making too many frequent stops to a Dave and Buster’s restaurant. Albert and his team had hacked into a point of sale system at one of the restaurants, which gathered a few thousand credit card numbers. The only problem with the hack was that it had to be restarted after the system was shut down.
Albert and his co-conspirators visited the restaurant often, making sure to restart the hacked point of sale systems any time Dave and Buster’s shut down their systems. Prior red flags in Albert’s history, his constant visits of one restaurant and suspicious activity, finally lead to his arrest by authorities. Multiple police raids seized over a million dollars in cash, a condominium in Miami, a BMW, a firearm and of course Albert’s laptops.
On March 25, 2010, Albert Gonzalez was sentenced to 20 years in prison for his role in the hacking of TJX and Heartland Payment Systems, and also fined $25,000. Restitution for the damages caused is still being decided on. His co-conspirators have also been caught, some await trial dates and others already received sentences for their crimes. Of course, if Albert Gonzalez didn’t live in the United States, his sentence may have ended up being lower or he may have never been captured at all.