Computer hacker Albert Gonzalez has been sentenced to 20 years in prison for masterminding a string of cyber-attacks on retailers, including TJX, which resulted in the theft of tens of millions of payment card details.
The sentence is the longest ever handed down in the US for hacking or ID theft. Gonzalez, who had already pleaded guilty, was also fined $25,000 and will face restitution charges.
Prosecutors had sought a 25 year sentence, claiming the actions of Gonzalez and his co-conspirators had cost retailers, including TJX, BJ's Wholesale Club and Barnes & Noble, around $200 million.
Gonzalez had sought leniency, citing drink and drug abuse issues as well as Asperger syndrome.
Beginning in 2005, the hacker and co-conspirators installed "sniffer" programs that would capture card numbers, as well as password and account information, as they moved through the retailers' credit and debit processing networks.
Once the data was harvested it was concealed in encrypted computer servers that the gang controlled in Eastern Europe and the US, says the DoJ. Some of the card numbers were sold to other criminals in the US and Eastern Europe over the Internet.
The stolen numbers were "cashed out" by encoding card numbers on the magnetic strips of blank cards. The DoJ says the defendants then used these cards to withdraw tens of thousands of dollars at a time from ATMs.
Gonzalez's term could be extended today when he is sentenced for charges relating to another set of massive attacks, on firms - including Heartland Payment Systems - that resulted in the theft of tens of millions of payment card details.