Albert Gonzalez pleaded guilty last week to several high-profile card breaches, including those at retailers TJX Cos., Barnes & Noble, Sports Authority, OfficeMax and BJ's Wholesale Club.

Gonzalez, 28, faces up to 25 years in prison in Massachusetts and 20 years in New York as part of a deal with federal prosecutors, reports Credit Union Journal, a Collections & Credit Risk sister publication. He also will forfeit more than $2.8 million, a fraction of what the losses his schemes are believed to have cost. Sentencing has been scheduled for Dec. 8.

Arrested in 2003 for his involvement in an online cards scheme, Gonzalez also faces charges in the breaches at Heartland Payment Systems, Hannaford Bros. supermarkets and 7-Eleven convenience stores while he purportedly was serving as a government informant. At the same time he was supposed to be keeping an eye on other scams for federal law enforcement officials, he was expanding his own activities.

Gonzalez and his accomplices would cruise the parking lots of retailers and hack into their databases using a laptop computer, authorities said. The group was able to install malware, online "sniffers" that collected card information from the retailers' computer systems. The group would then sell the credit card information online.

Purchasers of the information would use it to make online purchases or to create their own credit or ATM cards, which they used to withdraw millions of dollars in cash. Much of the illegal activity was performed overseas, out of the reach of U.S. authorities, in places such as Russia, Ukraine, Bulgaria and China.

Subscribe Now

Authoritative analysis and perspective for every segment of the payments industry

14-Day Free Trial

Authoritative analysis and perspective for every segment of the industry