Damon Patrick Toey, 28, the last currently captured hacker who took part in the majority of major card security breaches over the last 10 years, has been sentenced to five years in prison. He also received three years of supervised release and a $100,000 fine. The U.S. Attorney for the District of Massachusetts had recommended a sentence of six years.
Toey had been part of the group of hackers that Miami-based Albert Gonzalez gathered around him and used to hack retailers first through attacks on their point of sale networks and, later, through attacks on retailers' computer systems themselves. Card issuers, including credit unions, have paid tens of millions of dollars in costs to close and reissue cards compromised in the breaches.
Gonzalez pleaded guilty and received a sentence of 20 years for his role in the crimes.
According to prosecutors, Toey played a key but subordinate role in Gonzalez' hacking operation, at one point locating and in effect hiring a computer expert somewhere in the former Soviet Union to decrypt encoded personal identification numbers. At another point, prosecutors said Toey moved into Gonzalez' apartment to help him move from hacking to compromise payment networks, as he had done in early hacks, to compromising corporate databases that contained millions of card records.
But despite all this, prosecutors still recommended six years, citing Toey's assistance in helping them bring cases against the other conspirators.
"Through its recommendation, the government seeks to balance the need for
general deterrence, a punishment which reflects Patrick Toey's active partnership in a computer hacking and identity theft organization responsible for victimizing millions of people, Toey's subordinate role in that organization, and his immediate cooperation and extensive assistance in the investigation of this case," the prosecution wrote in its sentencing memo.
The prosecutor did not issue any statement in the wake of the sentence.
According to Toey's attorneys, the hacking committed against TJX had been facilitated by Gonzalez' group but actually carried out by two Russian hackers that court documents have not formally identified.
In his own sentencing memo, Toey portrayed a childhood that was an odd mixture of poor parenting, poverty and computer access. He noted the prosecution had been correct when it said that his first criminal trip for Gonzalez had been when he was 18. Prosecutors have acknowledged that without Toey's help they would not have been able to have made strong cases against other hackers and conspirators.
With Toey's sentencing, the U.S. part of the cases arising from the card security breaches ends. Ongoing investigations into the overseas parts of the operations are continuing, but law enforcement officials would not comment on their progress.