It is not uncommon to hear about a data breach incident or that a suspect (or suspects) has been arrested for the crime.  However, have you ever wondered how those suspects are punished?  Here are four data breach cases from recent years and just how each of the perpetrators was sentenced.

Heartland Payment Systems and Many Major Retailers

We will start off with the severest sentence ever passed down for computer crime in a United States court.  Albert Gonzalez was sentenced to 20 years in prison for the Heartland Payment Systems data breach.  His sentence was so severe because of how wide spread his hacking was.  Gonzalez was found guilty of hacking into the computer networks of Heartland Payment Systems, a payment processor, and many major retailers like Dave and Buster’s, T.J.Maxx, BJ’s Wholesale Club and Barnes & Noble. His actions cost a total of $200 million dollars and impacted 130 million debit and credit cards.

Dave and Buster’s

A part of Gonzalez’s sentencing included his involvement in the Dave and Buster’s data breach.   Gonzalez’s associate, Aleksandr Suvorov, was also involved in the Dave and Buster’s breach and was caught selling stolen credit card information to a US Secret Service Agent.  Between both incidents, Suvorov was sentenced to a total of seven years in prison.  The sentence was rather severe because the two incidents combined involved nearly a quarter of a million credit and debit cards. 

Michael’s

There were two individuals charged with conspiracy to commit bank fraud and aggravated identity theft in the Michael’s craft store point-of-sale breach. Eduard Arakelyan and Arman Vardanyan both received a sentence of five years in prison and five years of supervised release.    The men had swapped out point-of-sale devices at 84 Michael’s locations with skimming devices.  They took the data they collected from the skimmers and created nearly 1,000 counterfeit debit cards which they used at ATMs to take money out of the victim’s accounts.  In all, 94,000 credit and debit cards were affected.

Chase Bank

The man who was responsible for stealing 639 individuals’ debit card information at Chase Bank ATMs had an equal sentence to the Michael’s perpetrators, five years in prison with five years of supervised release.  Beneyam Asrat G-Sellassie placed skimming devices at Chase bank ATMs and racked up a total of $435,000 in charges.  Courts have ordered G-Sellassie to pay back all the fraudulent charges in restitution.

Data breaches are happening every day, all over the country.  Hackers know that if caught they would be facing a heavy sentence.  The rise of breaches in the restaurant, hospitality and retail sectors is a statistic that merchants should pay attention to.  Typically, these businesses represent smaller, less protected and less reactive targets than, for instance, financial institutions or larger retailers.  It is possible that many criminals may be making a classic risk vs. reward decision and opting to ’play it safe’ in light of recent arrests and prosecutions. Attacks on smaller restaurants, hotels and retailers represent a lower-risk alternative and hackers are taking advantage of that option.  That is why it is so important for merchants, especially those with small-to-medium sized businesses, to proactively protect themselves so they do not fall victim to the ever increasing number of hackers out there.