TJX Hacker Pleads Guilty to Ripping Off Millions

Hacker Albert Gonzalez on Friday pleaded guilty to 20 federal charges accusing him of masterminding the largest identity theft ring in U.S. history.

The Miami resident, a 28-year-old hacker known by the screen name “segvec”, faces up to 25 years in prison after admitting to his role in illegally obtaining and using unsuspecting victims’ credit and debit card numbers. Gonzalez will remain in a federal facility in Rhode Island until his sentencing in December.

The card numbers were hacked from networks operated by TJX (NYSE: TJX), the parent company of the chain of T.J. Maxx and Marshalls clothing stores, B.J.’s Wholesale Club and OfficeMax.

The U.S. Department of Justice estimates Gonzalez and other co-conspirators hacked into the retailers’ systems, stealing more than 40 million credit and debit cards — the largest ID theft the DoJ has ever prosecuted. The crime network spanned from the U.S. to Ukraine and Southeast Asia where the thieves would fabricate phony credit and debit cards with the purloined numbers and then use them to withdraw cash from ATMs and purchase merchandise.

Several others have pleaded guilty or been convicted for their roles in the case. The high-profile case is just one of several that lawmakers and consumer protection advocates have pointed to as examples of why e-tailers, financial institutions, security software firms and law enforcement agencies must step up their efforts to protect consumers.

Judge Patti Saris told the Gonzalez that she will explore options to compensate those retailers, banks and consumers victimized in scam. Gonzalez was already relieved of most of his ill-gotten gains when authorities confiscated more than $1.6 million in cash, computers, real estate, vehicles and personal possessions.

However, according to Reuters, Saris said that she had “a sinking sensation that the number of victims may exceed the available recovery.”

Gonzalez still faces federal charges in New Jersey. His attorney, Rene Palomino, told reporters outside the Boston courtroom that Gonzalez was not the ringleader of the group as prosecutors contend but rather a “co-conspirator.”

Palomino added that Gonzalez was “extremely remorseful.”

According to a report issued in March by the Identity Theft Resource Center (ITRC), U.S. businesses and other organization had already been compromised by 83 security breeches — potentially exposing the records of at least 1.1 million people through the first three months of this year alone.