TJMaxx Hacker Gets 20 Years

Remember the largest personal data theft in history? The guy that supposedly was behind it was sentenced this week to 20 years in prison. 

Albert Gonzalez, who operated under the hacker alias SoupNazi, pleaded guilty last year to slipping into the computer networks of major retailers such as TJ Maxx, BJ's Wholesale Club, Barnes & Noble, OfficeMax and Boston Market.

To pull off the caper, Gonzalez, 28, would hack into the Heartland Payment systems that handled credit card transactions for major retailers. Then the Miami resident got creative. He would cruise by stores with his laptop and infiltrate wireless Internet signals.

A Trojan Horse program would be planted in the store's network and Gonzalez would later vacuum out credit and debit numbers.

Authorities say Gonzalez operated with two co-conspirators and operated overseas as well. All told, the operation stole more than $200 million. The Secret Service estimated that the potential economic loss could be in the billions. Gonzalez personally amassed $2.8 million.

Of course, there was some fault of the retailers involved, as they were using WEP encryption, known for years prior to the data theft to be easily hacked and thus insecure, to wirelessly transmit transaction data between registers and the store office. Gonzalez and his crew were then able to repeatedly tap into the store systems this way, and learned how to login into the corporate computer system of TJX, parent company of TJ Maxx, BJ's Wholesale Club, Barnes & Noble, OfficeMax and Boston Market. Since TJX evidently was storing customer data in violation of PCI Data Security Standards, Gonzalez and crew were able to steal some 46 million customer credit cards from this company.
Amazingly, PCI standards will not ban the use of WEP in credit card systems until June 30, 2010 (although it has prohibited new systems that use WEP from being installed since March 31, 2009.)