Damon Patrick Toey, the “trusted subordinate” of TJX hacker Albert Gonzalez, was sentenced in Boston on Thursday to 5 years in prison.

He also received a $100,000 fine and three years’ supervised release, according to the Justice Department.

Toey, 25, helped Gonzalez breach the networks of numerous companies through SQL injection attacks in 2007 and 2008 and also served as a vendor selling stolen card data. Upon his arrest in May 2008, he provided information that investigators say likely helped persuade Gonzalez to plead guilty last year to what prosecutors are calling the most serious and largest identity-theft crimes ever prosecuted.

Toey was the last of six U.S. defendants sentenced for the crimes. In all, federal judges have handed out nearly 38 years against Gonzalez and his crew, with Gonzalez getting the stiffest sentence by far.

Gonzalez received three concurrent sentences last month, amounting to 20 years in prison for his role in the hacks of TJX, Hannaford Brothers, Heartland Payment Systems and others, which resulted in the theft of more than 200 million credit- and debit-card numbers. After his arrest, Gonzalez led investigators to a stash of more than $1 million in cash buried in a barrel in his parents’ backyard.

Toey, who prosecutors say earned only about $80,000 for his role in the crimes, faced a maximum sentence of 22 years. Prosecutors took into consideration his extensive cooperation with authorities, and sought only 6 years in prison and a $100,000 fine, with no restitution.

According to his defense attorney’s sentencing memo, Toey was raised by a single mother, who later married and had two more children. He was little-supervised, and at age 11 began experimenting with marijuana and spending extended periods of time on the computer. At 15 he dropped out of school. After his mother’s divorce shortly thereafter, he and his family went through a string of evictions, and ended up staying with family friends for a while, where his mother spent much of her time partying, drinking and smoking pot.

Continue Reading “Final Conspirator in Credit Card Hacking Ring Gets 5 Years” »

If TJX hacker Albert Gonzalez had gone to trial instead of pleading out, one man would have been the primary witness against him — accomplice Damon Patrick Toey.

Toey, identified often in court documents simply as “PT,” provided information that investigators say likely helped persuade Gonzalez to plead guilty last year to multiple crimes, which prosecutors are calling the most serious and largest identity-theft crimes ever prosecuted.

Toey, 25, will on Thursday become the last of six U.S. defendants sentenced for the crimes. The others include Gonzalez, Christopher Scott, Humza Zaman, Jeremy Jethro and Stephen Watt. Other, unidentified Eastern European hacking accomplices are presumed to be still at large.

Gonzalez received three concurrent sentences last month, amounting to 20 years in prison for his role in the hacks of TJX, Hannaford Brothers, Heartland Payment Systems and others, which resulted in the theft of more than 200 million credit- and debit-card numbers. After his arrest, Gonzalez led investigators to a stash of more than $1 million in cash buried in a barrel in his parents’ backyard.

Toey, who prosecutors say earned only about $80,000 for his role in the crimes, faces a maximum sentence of 22 years. Prosecutors are taking into consideration his extensive cooperation with authorities, and are seeking only 6 years in prison and a $100,000 fine, with no restitution. His defense attorney is asking for 30 to 36 months and a maximum fine of $50,000.

His defense attorney’s sentencing memo provides a look at the unstable and peripatetic life that led the at-times homeless teen to a career in crime with his friend.

Toey was raised by a single mother, who later married and had two more children, according to his attorney. He was little-supervised, and at age 11 began experimenting with marijuana and spending extended periods of time on the computer. At 15 he dropped out of school. After his mother’s divorce shortly thereafter, he and his family went through a string of evictions, and ended up staying with family friends for a while, where his mother spent much of her time partying, drinking and smoking pot.

Continue Reading “Prosecutors Seek 6-Year Sentence for TJX Hacker’s ‘Trusted’ Accomplice” »

For the past few months, national retailer J.C. Penney has been fighting an under-seal court battle to keep you from knowing that its payment card network was breached by U.S. and Eastern European hackers.

The intrusions, by TJX hacker Albert Gonzalez and his overseas accomplices, occurred beginning in October 2007. J.C. Penney admits it was “wholly unaware” of the breach until the Secret Service told the company about it in May 2008, but now says with certitude that no identity or bank-card data was stolen in the breach it failed to detect. That’s why the company didn’t want to be identified to the public, says spokeswoman Darcie Brossart

“Because there was no reason to think that the hackers were successful, there was no need to alarm J.C. Penney customers,” says Brossart, “We believed we had a legitimate interest in not being linked to criminal activity that resulted in major thefts from other companies.”

So in court filings, J.C. Penney argued that it was entitled to anonymity under the 2004 Crime Victims’ Rights Act, a law intended to protect the “dignity and privacy” of victims. A federal judge on Friday ordered the company’s identity unsealed anyway, as well as that of a second breached company, clothing retailer Wet Seal.

It’s a familiar story. Companies have never been eager to have their security slip-ups revealed to consumers. What was different, and remarkable, this time around is that an assistant U.S. attorney argued that J.C. Penney and Wet Seal should be identified. The lead prosecutor in the largest identity-theft hacks in U.S. history argued for disclosure.

From a motion by Assistant U.S. Attorney Stephen Heymann, which was unsealed Monday:

The Secret Service went to J.C. Penney with the information and evidence that its computer system, used to process payment card transactions, had been broken into. Although the protective system used by J.C. Penney had unquestionably failed, the Secret Service had no evidence as to whether payment card numbers had been stolen.

Our presumption of public disclosure in charged criminal cases does not depend on the costly proof of evidence of negligence by the corporation, which we rarely can obtain, and then only with the full cooperation and guidance of the company. Most people want to know when their credit or debit card numbers may have been put at risk, not simply if, and after, they have clearly been stolen.

The presumption of disclosure has an additional significant benefit, though…. Knowing that card holders will be concerned whenever their credit or debit card information is put at risk, if they know of it, provides an incentive to companies to invest in the protections their customers would want. Transparency makes the market work in this area.

It’s a bit jarring to see a lucid pro-transparency, pro-security argument from a federal prosecutor. For years, law enforcement has had an informal policy of protecting companies from the public relations consequences of their poor security — a kind of omerta among intruders, the companies they hack and the feds, where only the public is left in the dark. To be sure, it’s never been set in stone, and not all feds have played ball. But it’s a common practice, and it corrodes accountability.

It began with the first big for-profit card breach of the internet era — the 1997 case of Carlos Salgado Jr., who was caught trying to sell 80,000 stolen credit card numbers on IRC. The government persuaded Salgado’s judge to permanently seal the identity of the company he hacked, in order to shield it from “loss of business due to the perception by others that computer systems may be vulnerable.” That the perception would be completely accurate didn’t matter in the least.

Back then, the feds were worried that companies would stop reporting intrusions if they got bad press. J.C. Penney raised this argument as well, warning that outing the company “may discourage other victims of cybercrimes to report the criminal activity or cooperate with enforcement officials.” It takes real cajones to tell a judge that chain stores around the country are prepared to commit the federal crime of misprision if J.C. Penney doesn’t get its way.

U.S. District Judge Douglas Woodlock shot back that he was “astonished” that a company would even think to not cooperate with law enforcement, and ultimately determined “there shouldn’t be privacy for corporations.” “It is so absurd to think that [corporations] are entitled to special benefits,” he said on Friday.

California’s 2003 breach-disclosure law, and similar laws now in effect in 45 states, have already done a lot to shatter the code of silence surrounding breaches, but that didn’t stop New Jersey federal prosecutors from initially promising J.C. Penney anonymity. It was only when the Gonzalez case was transfered to Boston — and a new prosecutor — that the public gained an advocate in the case. Heymann’s successful defense of transparency suggests a sea change in law enforcement: a recognition that data breaches don’t occur in a vacuum. They fester under a rock, and wither and die only when flooded with sunlight.

As Heymann acknowledged in his filing (.pdf), there can be valid law enforcement reasons for withholding identification of an intrusion target. But protecting the “dignity” of the company isn’t one of them. The Justice Department should adopt this prosecutor’s position as its default in identity-theft breaches.

Image courtesy Roadsidepictures

See Also:

• TJX Hacker Gets 20 Years in Prison
• Secret Service Paid TJX Hacker $75000 a Year
• Former Morgan Stanley Coder Gets 2 Years in Prison for TJX Hack
• Gonzalez Accomplice Gets Probation for Selling Browser Exploit
• Document Reveals TJX Hacker’s Assistance to Prosecutors
• Former Teen Hacker’s Suicide Linked to TJX Probe

BOSTON — A hacker who helped TJX hacker Albert Gonzalez and others gain access to corporate networks was sentenced to 7 years and one day on Monday.

Christopher Scott, 27, pleaded guilty to breaching the wireless access points of several retailers between 2003 and 2007 to siphon credit and debit card numbers, which he then passed to Gonzalez. Prosecutors say that together the men pilfered nearly 20 million credit and debit cards, which retailers say led to $200 million in losses from fraud.

They used the cards to obtain cash advances from ATMs or sold the account information to other carders, who encoded the data to blank and counterfeit bank cards for fraudulent use. Scott’s take from the crimes was at least $400,000, according to prosecutors. He was paid in cash and with pre-paid bank cards and used the money to rent limos and partied with up to 10 women at a time, prosecutors say, and later bought a car, jewelry and $400,000 house.

The government is seeking forfeiture of $400,000, nine computers and an array of other electronic goods from Scott. Restitution will be determined at a future hearing.

Scott, who is married and has a 6-year-old stepdaughter, has been living with his family under home detention, with electronic monitoring, in his mother’s Miami house for about two years since his May 2008 arrest. During Monday’s hearing Scott, who wore glasses, black pants and a beige plaid shirt, broke down crying while making a statement to the court.

“I feel terrible for what I’ve done,” he said. “Over the past two years I have thought a lot about my bad decisions. . . . I am committed to being a positive part of society.”

His young wife, seated next to his mother and uncle, wiped tears from her eyes with the sleeve of her black turtleneck sweater.

Scott, whom authorities describe as a “junior partner” and a “valued lieutenant” in Gonzalez’s criminal enterprise, faced a life sentence prior to his plea agreement, but the agreement brought that down to a maximum sentence of 22 years and a minimum of $750,000 in fines. Prosecutors sought 13 years in prison and restitution in the amount of $189 million.

“The case before this court will be a benchmark for other computer hackers and identity thieves,” prosecutors wrote in their sentencing memo, “and there is no shortage of them out there…. There has never been a computer hacking and identity theft case … where the financial cost has been so dear or the breadth of the personal victimization so large.”

His attorney sought three years in prison and two years probation, including one year of home detention and electronic monitoring, plus 480 hours of community service. He also asked that the court forego a fine or restitution.

But U.S. District Judge Douglas Woodlock, who sentenced TJX ringleader Gonzalez last week to 20 years in prison, said that hacking crimes “open up a Pandora’s box of harm to the community,” and that it was important to send a message to other youths who might follow in his footsteps that they will be punished. Although he contemplated giving Scott 10 years, he took into consideration the significant domestic responsibilities that Scott had assumed in helping to raise his step daughter and get his wife, a former cocaine addict, off drugs. Scott remains free, pending a self-surrender scheduled for May 7.

Scott’s illegal activity began in 2003 when he breached a BJ’s Wholesale Club through one of the company’s wireless access points, according to court records.

Continue Reading “TJX Accomplice Sentenced to 7 Years in Prison” »

BOSTON — Convicted TJX hacker Albert Gonzalez was sentenced to 20 years and a day, and fined $25,000 on Friday for his role in breaches into Heartland Payment Systems, 7-Eleven and other companies.

The sentence will run concurrently with a 20-year sentence he received on Thursday in two other cases involving hacks into TJX, Office Max, Dave & Busters restaurants and others, so it adds only one day to his total prison term. Restitution will be decided at a future hearing.

“I understand the road to redemption will be long,” said Gonzalez, 28, before the sentence was pronounced.

Albert Gonzalez at the 2001 DefCon hackers' convention in Las Vegas

Gonzalez, who once dubbed his criminal enterprise “Operation Get Rich or Die Tryin’,” had faced a sentence of between 17 and 25 years for the intrusions.

He was indicted last August — along with two unnamed East European hackers known only as “Grigg” and “Annex” — on charges of hacking into Heartland Payment Systems, a New Jersey card-processing company, as well as Hannaford Brothers supermarket chain, 7-Eleven and two unnamed national retailers.

Lawyers representing the two unnamed companies spent 30 minutes Friday trying to persuade the court not to unseal documents identifying those retailers, who suffered breaches, but no known loss of sensitive customer data. In the end, U.S. District Judge Douglas Woodlock ordered the documents unsealed, paving the way for the companies to be identified. [Update: One of the companies has been confirmed as JC Penney, by the blog Storefront Backtalk, which reported last year that the company was believed to be among the targets. The second company is Wet Seal.]

According to the government, Gonzalez and an uncharged conspirator found the targets on a list of Fortune 500 companies and then did reconnaissance to determine the payment-processing systems they used. They then uncovered vulnerabilities in the systems they could exploit.

Using a SQL-injection attack, the hackers broke into the 7-Eleven network in August 2007, stealing an undetermined amount of card data. They used the same kind of attack to infiltrate Hannaford Brothers in November 2007, which resulted in 4.2 million stolen debit and credit card numbers; and into Heartland on Dec. 26, 2007. Of the two unnamed national retailers mentioned in the affidavit, one was breached on Oct. 23, 2007, and the other sometime around January 2008.

Continue Reading “Hacker Sentenced to 20 Years for Breach of Credit Card Processor” »

BOSTON — Convicted TJX hacker Albert Gonzalez was sentenced to 20 years in prison on Thursday for leading a gang of cyberthieves who stole more than 90 million credit and debit card numbers from TJX and other retailers.

The sentence for the largest computer-crime case ever prosecuted is the lengthiest ever imposed in the United States for hacking or identity-theft. Gonzalez was also fined $25,000. Restitution, which will likely be in the tens of millions, was not decided Thursday.

Clean-cut, wearing a beige jail uniform and wireframe glasses, the 28-year-old Gonzalez sat motionless at his chair during Thursday’s proceedings, his hands folded in front of him.

Before the sentence was pronounced, Gonzalez told the court he deeply regrets his crimes, and is remorseful for having taken advantage of the personal relationships he’d forged. “Particularly one I had with a certain government agency … that gave me a second chance in life,” said the hacker, who had worked as a paid informant for the Secret Service. “I blame nobody but myself.”

“I violated the sanctity of my parents’ home by using it to stash illegal proceeds,” said Gonzalez. He asked for a lower sentence “so I can one day prove to [my family] that I love them as much as they love me.”

The hacker’s voice cracked and his gaze drifted to the floor as he finished his statement. His father, mother and sister sat in the front row of the gallery; Gonzalez’s father’s eyes reddened and he held a tissue to his face.

Gonzalez, who once dubbed his criminal enterprise “Operation Get Rich or Die Tryin’,” had argued in court filings that his only motive was technical curiosity and an obsession with conquering computer networks. But chat logs the government obtained showed Gonzalez confiding in one of his accomplices that his goal was to earn $15 million from his schemes, buy a yacht and then retire.

The hacker had faced a sentence of between 15 and 25 years for the TJX string of intrusions. The government sought the maximum, while Gonzalez sought the minimum, on grounds that he suffered from Asperger’s disorder and computer addiction, and that he cooperated with the government extensively against his U.S. co-conspirators and two Eastern European hackers (known only as “Grigg” and “Annex”). Gonzalez even provided the government with information about breaches that had not yet been detected.

Albert Gonzalez at the 2001 DefCon hackers' convention in Las Vegas

A psychiatrist who examined Gonzalez for prosecutors, however, found no evidence of Asperger’s disorder or computer addiction. At Thursday’s hearing, assistant U.S. attorney Stephen Heymann urged the court to hand down a 25-year sentence that would strongly deter future Albert Gonzalezes from a life of cybercrime.

Gonzalez “conned law enforcement once before with the idea that he had seen the error of his ways,” said Heymann. “What matters is that teenagers and young people not look up to him.”

Defense attorney Martin Weinberg argued the minimum 15-year sentence would be sufficient to set an example. “That’s an enormous, devastating sentence … and a compelling and clear message to anyone looking at this case that they would suffer what he has suffered.”

In splitting the difference, U.S. District Judge Patti Saris credited Gonzalez for his apparent remorse, and his bond with his family. But Saris said she was disturbed by the fact that he committed his crimes while working for the government. She explained the low $25,000 fine by predicting her restitution order, to be set at a future hearing, will be sizable.

“You’re never possibly going to be paying back all the restitution that’s going to be ordered,” said Saris.

Continue Reading “TJX Hacker Gets 20 Years in Prison” »

A computer security professional who sold Internet Explorer exploit code to credit card hacker Albert Gonzalez was sentenced Tuesday in Boston to three years probation and a $10,000 fine.

Jeremy Jethro, 29, was paid $60,000 by Gonzalez for a zero-day exploit against Microsoft’s browser, “the purpose and function of which was to … enable the conspirators to unlawfully gain access to, and redirect, individual’s computers,” according to court records.

Gonzalez led a team of hackers who gained unauthorized access to company networks and stole more than 90 million credit and debit card numbers, though it’s not clear what role, if any, the $60,000 zero-day played in the attacks. Jethro’s attorney, Stacey Richman, told Threat Level the exploit was a dud.

“The exploit never worked,” she said. “None of them worked. There was a question of potentially two [exploits] and neither of them worked.”

Jethro pleaded guilty to a misdemeanor conspiracy charge for providing the malware. Under Tuesday’s sentence, Jethro will be confined at home, under electronic monitoring, for the first six months of his three-year-long probation.

Richman said Jethro did not know Gonzalez’s intended use for the exploit. She also said the judge took into consideration her client’s life change in 2006 when he turned to Christianity and “renounced any aspect of any wrongful behavior.”

She said Jethro, who is currently working in the computer industry “had spent the years since then entirely in a very proper manner.”

He’s the third person to be sentenced for conspiring with Gonzalez in criminal activity. Last December, Stephen Watt, a former coder for Morgan Stanley, was sentenced to two years in prison for providing a sniffer to Gonzalez that helped him siphon card data from TJX’s corporate network. Watt was also ordered to pay restitution to TJX in the amount of $171.5 million.

Earlier this month, Humza Zaman, a former network security manager at Barclays Bank, was sentenced to 46 months in prison and fined $75,000 for serving as a money courier for Gonzalez. He was charged with laundering between $600,000 and $800,000 for Gonzalez.

Gonzalez is scheduled to be sentenced this week in Boston for his role in the hacks of TJX, Dave & Busters, Hannaford Brothers, 7-Eleven and Heartland Payment Systems. He faces a sentence of between 17 and 25 years. Prosecutors are asking for the latter.

18:30:  This article was updated to add comment from Richman, and to correct an error.  Jethro’s charge did not link him to Gonzalez’s credit card thefts.

Image: BlubrNL/Flickr

See Also:

• Secret Service Paid TJX Hacker $75,000 a Year
• TJX Hacker Was Awash in Cash; His Penniless Coder Faces Prison
• Secret Service Operative Moonlights as Identity Thief
• I Was a Cybercrook for the FBI
• TJX Hacker ‘Will Never Commit Any Crime Again’
• Unprecedented 25-Year Sentence Sought for TJX Hacker
• Document Reveals TJX Hacker’s Assistance to Prosecutors
• TJX Hacker Charged With Heartland, Hannaford Breaches
• Indicted Federal Informant Allegedly Strong-Armed Hacker Into Caper That Drew 9-Year Sentence

Convicted TJX hacker Albert Gonzalez earned $75,000 a year working undercover for the U.S. Secret Service, informing on bank card thieves before he was arrested in 2008 for running his own multimillion-dollar card-hacking operation.

The information comes from one of Gonzalez’s best friends and convicted accomplices, Stephen Watt. Watt pleaded guilty last year to creating a sniffer program that Gonzalez used to siphon millions of credit and debit card numbers from the TJX corporate network while he was working undercover for the government.

Watt told Threat Level that Gonzalez was paid in cash, which is generally done to protect someone’s status as a confidential informant. The Secret Service said it would not comment on payments made to informants. Gonzalez’s attorney did not respond to a call for comment.

“It’s a significant amount of money to pay an informant but it’s not an outrageous amount to pay if the guy was working full time and delivering good results,” says former federal prosecutor Mark Rasch. “It’s probably the only thing he was doing — other than hacking into TJX and making millions of dollars.”

Gonzalez’s salary highlights how entwined he was with the government at the time he participated in the largest identity theft crimes in U.S. history. Gonzalez, 28, is set for sentencing this week on three indictments covering nearly every headline-making bank-card theft in recent years, including intrusions at TJX, Office Max, Hannaford Brothers, 7-Eleven and Heartland Payment Systems (which alone exposed magstripe data on 130 million credit and debit cards). The hacker’s plea agreements contemplate a total prison term of between 17 and 25 years.

Rasch says Gonzalez’s $75,000 is nothing compared to the million-dollar payouts some undercover informants get for high-risk, high-value cases such as Mafia investigations. But Gonzalez’s payments dwarf the meager handouts given previous computer crime informants.

Continue Reading “Secret Service Paid TJX Hacker $75,000 a Year” »

Humza Zaman, a co-conspirator in the hack of TJX and other companies, was sentenced Thursday in Boston to 46 months in prison and fined $75,000 for his role in the conspiracy. The sentence matches what prosecutors were seeking.

Zaman, a 33-year-old former network security manager at Barclays Bank, was charged with laundering between $600,000 and $800,000 for hacker Albert Gonzalez, who is currently awaiting sentencing on charges that he and others hacked into TJX, Office Max, Heartland Payment Systems and numerous other companies to steal data on more than 100 million credit and debit card accounts.

Zaman pleaded guilty in April to one count of conspiracy. His sentence includes three years of supervised release with the condition that Zaman must disclose his conviction to any future employer. Upon release, Zaman will not be barred from using computers.

Zaman is the second conspirator in the TJX case to be charged. Former Morgan Stanley coder, Stephen Watt, was sentenced in December to two years in prison for his role in the TJX case, which involved supplying Gonzalez with a sniffer program used to siphon card data from the TJX network.

Once the card data was stolen, mules were used to siphon the money from ATMs and send the money electronically — either by a wire transfer or using digital currencies such as E-gold and Web Money — to a bank account in Latvia. Gonzalez’s portion of the booty was then transferred to other bank accounts, some of them opened under fictitious names. Zaman’s job in the United States was to withdraw funds from these accounts at ATMs in various locations across the country, and then send the cash to Gonzalez in Florida.

Zaman also traveled to San Francisco three times in late 2005 and early 2006 and met with “an unknown man of apparent Eastern European descent” who slipped him between $50,000 and $370,000 in cash each time. Zaman then shipped the money via Federal Express to Gonzalez. Zaman also picked up money in New York for Gonzalez. Each time, he earned 10 percent of the amount shipped.

In March 2008, two months before Gonzalez was arrested in Florida, Zaman sent him ATM system logs from Barclays, a bank where Zaman was working as manager of network perimeter security. Prosecutors said Gonzalez uploaded the logs to a Latvian server he controlled and shared with others, but there is no evidence that the logs were used for nefarious purposes before Gonzalez’s arrest or after.

In addition to the Barclays ATM logs, investigators found 16.3 million payment card numbers on the Latvian server and an additional 27.5 million card numbers on a server in the Ukraine.

Gonzalez is currently facing a minimum 17-year sentence in prison.

Prosecutors had sought only 46 months and a $75,000 fine for Zaman because his activities were limited solely to money laundering. The government said it had “no evidence that Zaman participated in, or reasonably foresaw the extent of, the intrusions and data thefts perpetrated by the Gonzalez organization.”

Prosecutors said Zaman did not provide “substantial assistance” in the investigation or prosecution of anyone else. He provided information about his own activities, the authorities said.

According to the prosecution’s sentencing memo (.pdf), Zaman was a popular kid with lots of friends. He was a member of chess, debate and math clubs and was on a successful career path, earning $130,000 plus bonuses from Barclays, where he worked for two years.

“But he enjoyed partying and using expensive recreational drugs when he wasn’t working,” prosecutors said. “So he needed cash beyond his six-figure legitimate income.”

Zaman told Threat Level that the government’s portrayal of him as a money launderer and drug addict is exaggerated, even though he pleaded guilty to the conspiracy charge. He says he just picked up the packages of money as a favor to Gonzalez, whom he met in 2004 through Stephen Watt, and didn’t know that the money came from carding.

“I asked [Gonzalez], ‘Is this illegal?’ And I was told that this was just money that was owed to him,” Zaman said.

He said he only picked up a few packages of money for Gonzalez, primarily in 2005, before he stopped.

Update: This story has been updated with comments from Zaman.

Photo: Refracted Moments/Flickr

See also:

• Former Morgan Stanley Coder Gets 2 Years in Prison for TJX Hack
• TJX Hacker Was Awash in Cash; His Penniless Coder Faces Prison

The two great friends talked every day and shared information about all of their exploits — sexual, narcotic and hacking — according to prosecutors. Now another thing they’ll have to share information about is their experience in federal prison.

Stephen Watt
Photo courtesy Michael Farkas

While accused TJX hacker kingpin Albert Gonzalez awaits a possible sentence of 17 years or more in prison, one of his best friends and accomplices was sentenced on Tuesday in Boston to two years for his role in what the feds are calling “the largest identity theft in our nation’s history.”

Stephen Watt, a 25-year-old former Morgan Stanley software engineer, pleaded guilty last December to creating a custom sniffing program dubbed “blabla” that Gonzalez and other hackers used to siphon millions of credit and debit card numbers from TJX’s network. The breach cost TJX $200 million, according to its 2009 SEC filing.

Watt’s lawyer had sought a sentence of probation.

But instead the 7-foot-tall coder who once had a bright professional future got two years in federal prison and three years of probation. A spokeswoman for the U.S. attorney’s office in Massachusetts said the judge also ordered Watt to pay restitution to TJX in the amount of $171.5 million.

According to a source familiar with the case, U.S. District Judge Nancy Gertner indicated that her sentence was based in part on the enormity of the harm that was caused to the public by the crime and Watt’s undeniable assistance in causing that harm.

“She believed in the end that a probation sentence would not be sufficient to satisfy the general deterrence to prevent harm to the public,” the source said.

His lawyer, Michael Farkas, declined to comment on the sentencing.

Farkas asserted in his court filings that Watt was a minor and peripheral player in the credit card theft ring that Gonzalez dubbed “Operation Get Rich or Die Tryin” that began in 2005 to breach numerous vulnerable national retailers and card processors.

Watt, who graduated from high school at 16 with a 4.37 grade point average, was driven by intellectual curiosity and friendship, not greed, his lawyer said, and had no idea his program would be put to criminal use.

Prosecutors never alleged that Watt received money for the software he wrote, or directly profited from the hacks. But they brandished more than 300 pages of chats the two friends exchanged that belied Watt’s stated ignorance.

“You have got to convince typedeaf to do some work for me,” Gonzalez wrote Watt in one of them, referencing the handle of another hacker. ”If he was able to hack some euro dumps we can make a fortune. I hacked a place and took ~30k euro dumps and this last week I made ~11k from only selling ~968 dumps.” (Dumps are the carding underground’s term for credit or debit card magstripe data, including account numbers.)

As Gonzalez and his accomplices hacked target after target, he sent Watt links to news stories describing a tidal wave of debit fraud spreading around the world.

Continue Reading “Former Morgan Stanley Coder Gets 2 Years in Prison for TJX Hack” »