Man sentenced for hacking restaurant card data

WASHINGTON Albert Gonzalez, the mastermind of payment card data thefts from Boston Market and Dave & Buster’s and a participant in the hack of a credit transaction processor serving thousands of restaurants, has been sentenced to two 20-year prison terms, the U.S. Justice Department said.

In a separate development, the Federal Trade Commission said late last week that one of the companies targeted by Gonzalez’s ring -- Dallas-based Dave & Buster’s Inc. -- will be subject to closer scrutiny for 20 years. That is the length of time that conditions laid down by the federal agency must be met by Dave & Buster’s following its agreement to settle FTC charges that the casual-dining chain had “left consumers’ credit and debit card information vulnerable to hackers, resulting in several hundred thousand dollars in fraudulent charges.”

April Spearman, vice president of marketing for 55-unit Dave & Buster’s, said the company had no comment about Gonzalez’s sentencing or its settlement with the FTC. However she reiterated the company’s earlier statements that it had acted immediately after being alerted to the possibility of data theft at 11 of its restaurants in 2007 and had “worked closely with both the Secret Service and Department of Justice and assisted them in their investigations.”

Dave & Buster’s has said that after learning of the data network breach, it retained outside security experts and deployed additional measures to prevent similar thefts going forward.

In a March 26 filing with the U.S. Securities & Exchange Commission, Dave & Buster’s said, “The order does not require [Dave & Buster’s] to pay any fines or other monetary assessments and the registrant does not believe that the terms of the order will have a material adverse effect on its business, operations, or financial performance.”

Requests for comment about Gonzalez’s sentencing by Golden, Colo.-based Boston Market were unanswered as of press time.

Gonzalez, 28, was sentenced March 25 in U.S. District Court in Boston to 20 years in prison for two cases involving conspiracy, computer fraud, wire fraud, access device fraud and aggravated identity theft, according to the Justice Department. Those charges stemmed from data network intrusions at numerous companies, including 520-unit Boston Market, Dave & Buster’s, the TJX Cos., OfficeMax and Barnes & Noble. Those virtual break-ins were carried out by what federal officials characterized as the “largest hacking and identity theft ring ever prosecuted by the U.S. government.”

On March 26, Gonzalez received another 20-year prison sentence for two counts of conspiracy related to his efforts to assist others in gaining access to the payment card networks of Heartland Payment Systems, the 7-Eleven convenience store chain and supermarket operator Hannaford Brothers Co. Inc.

Heartland is a card transaction processor that at the time of the data breach served an estimated 60,000 restaurants nationwide, its representatives said.

Gonzalez, who pleaded guilty to the charges late last year, also was ordered to pay a $25,000 fine and submit to three years of supervision following his release from prison under the sentences, which will run concurrently. Justice officials added that the amount of restitution that Gonzalez will be ordered to pay in all three cases will be determined at a later date.

Federal prosecutors said Gonzalez admitted in court documents “that it was foreseeable that, based upon his assistance, his co-conspirators would be able to steal tens of millions of credit and debit card numbers, affecting more than 250 financial institutions.” To date, they said, six co-conspirators in the United States have pleaded guilty to related crimes, while another was arrested and convicted in Turkey.

The agreement between Dave & Buster’s and the FTC settles an investigation of the restaurant operator’s handling of payment card data launched after the hack of its data networks between May 18 and Aug. 28, 2007, the SEC filing by Dave & Buster’s said. The company said in the filing that it had “worked closely” with the FTC in its investigation.

Indicating that it was not singling out Dave & Buster’s among companies whose data networks have been hacked, the FTC said its dealings with the restaurant operator marked its 27th case challenging faulty data security practices by organizations that handle sensitive consumer information.

Among other provisions in the FTC’s Complaint and Agreement Containing Consent Order, Dave & Buster’s must create, implement and maintain a comprehensive information security program and make sure that any of its outside service providers are capable of safeguarding customer payment card data. The FTC said Dave & Buster’s must also, for 10 years, obtain initial and biennial assessments and reports from an independent auditor that set out the safeguards implemented and maintained by the restaurant company and explain how each meets or exceeds the protections required by the settlement.

The terms of the order are subject to public comment until April 26, the FTC said.

Contact Alan J. Liddle at [email protected] [3].