> series: anatomy_of_a_breach —— part: 015 —— subject: albert_gonzalez —— sentence: 20_years —— cards: 174,000,000<span class="cursor-blink">_</span>_
On 25 March 2010, US District Judge Douglas Woodlock sentenced Albert Gonzalez to 20 years in federal prison — the longest sentence ever imposed for a computer crime. The sentence covered Gonzalez's role in the breaches of TJX Companies (94 million cards), Heartland Payment Systems (130 million cards), Hannaford Brothers (4.2 million cards), and 7-Eleven — a combined total of approximately 174 million payment card records, making it the largest hacking and identity theft case ever prosecuted.
The sentencing marked the end of one of the most extraordinary criminal careers in cyber history. Gonzalez had been arrested in 2003 for his role in the ShadowCrew criminal forum, flipped to become a paid Secret Service informant, and then — while ostensibly helping law enforcement catch cybercriminals — orchestrated the very crimes he was supposed to be helping prevent. His double life continued until 2008, when the Secret Service, investigating the Heartland breach, traced the attack back to their own informant.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call| Year | Event |
|---|---|
| 2003 | Arrested for involvement in ShadowCrew forum. Becomes paid Secret Service informant. |
| 2005 | While working as informant, begins wardriving Marshalls stores for TJX attack. |
| 2005–2007 | Conducts 18-month intrusion into TJX, stealing 94 million cards via Wi-Fi compromise. |
| 2007–2008 | Launches SQL injection attacks against Heartland, Hannaford, and 7-Eleven. |
| 2008 | Visa and MasterCard alert Heartland to suspicious activity. Investigation begins. |
| 2009 | Arrested. Indicted for Heartland, TJX, Hannaford, and 7-Eleven breaches. Pleads guilty. |
| March 2010 | Sentenced to 20 years — the longest hacking sentence in history. |
Gonzalez's four-breach campaign exploited the same preventable vulnerability classes repeatedly: SQL injection in web applications, WEP encryption on wireless networks, absent network segmentation between corporate and payment systems, and unencrypted card data in transit. Not one of these vulnerabilities was novel. Not one required a zero-day exploit. Every single entry point would have been identified by a standard web application or infrastructure penetration test.
The fact that the same attacker could exploit the same vulnerability classes against four different organisations — over a period of years — demonstrates the gap between what the security industry knows and what organisations implement. SQL injection was number one on the OWASP Top 10 throughout this period. WEP was known to be broken for years. PCI DSS mandated network segmentation and encrypted card data. Yet the vulnerabilities persisted, and Gonzalez exploited them with devastating effect.
The Gonzalez sentencing closed a chapter, but the lessons remain open. The most damaging cyberattacks continue to exploit known, preventable vulnerabilities — not zero-days. The organisations that suffer the worst breaches are not the ones targeted by the most sophisticated attacks — they are the ones with the most basic gaps in their defences.
Our penetration testing identifies these gaps before attackers do. Cyber Essentials certification establishes the baseline that Gonzalez's victims lacked. SOC in a Box provides the continuous monitoring that would have detected his months and years of lateral movement and data exfiltration. And when a breach is discovered, UK Cyber Defence provides the incident response capability to investigate, contain, and support law enforcement. The tools to prevent the next Gonzalez exist. The question is whether your organisation has implemented them.
Every breach in the Gonzalez campaign would have been caught by standard <a href="/penetration-testing">penetration testing</a>. SQL injection, weak wireless encryption, missing segmentation — we find these in 2025 just as Gonzalez exploited them in 2005.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call