A computer hacker was sentenced to 20 years in prison after pleading guilty to a one of the largest credit card theft schemes, reports the Associated Press. The hacker, Albert Gonzalez, broke into the computer networks of Fortune 500 companies like TJX Cos (owner of TJ Maxx), BJ’s Wholesale Club, Barnes & Noble, Office Max, and the restaurant chain Dave & Buster’s.
Gonzalez and two accomplices would drive by stores, looking for those that had weak networks, then hack into the systems to steal credit and debit card numbers. Authorities found more than 40 million credit and debit card numbers on Gonzalez’s laptops, some of which were sold overseas. Gonzalez accumulated more than $2.8 million in the scheme. He used the money to buy a condo, a car, a Tiffany ring for his girlfriend, and Rolex watches. His sentence requires him to give it all back, including $1 million he’d buried in his parents’ garden.
It wasn’t Gonzalez’s first time being caught hacking into computer systems. He was also arrested for the crime in 2003, but was let off because he became a Secret Service informant. He continued hacking into computer systems even while working as an informant.
Businesses suffer the most
The crimes reportedly cost retailers, insurers, and banks almost $200 million as they worked to clear up the fraud, opening and closing accounts, increasing security in their computer networks, and spending money on public relations to keep their customers.
Dave and Buster’s, which was one of the companies victimized by Gonzalez, recently settled charges from the Federal Trade Commission that it hadn’t done enough work to make credit and debit card information more secure. Dave and Buster’s had 130,000 credit and debit card numbers stolen which led to hundreds of thousands in fraudulent charges, according to an FTC press release. Dave and Buster’s is now required to improve their security and be audited every year to prove they’re being compliant.
There’s no Federal law requiring companies to take action in a data breach, like the scheme run by Gonzalez and his accomplices. Some states have laws that tell companies what to do in these situations, but some states do not (AL, KY, MS, NM, CO).
Of course, there is a Federal law that says you don’t have to pay for charges you didn’t make. If you suspect your credit card number has been fraudulently used, contact your credit card issuer to report the charges. If only your credit card number has been stolen, you’re not liable for any of the charges made, no matter how long it takes you to discover the fraudulent charges.