Former Barclays programmer gets four years for role in TJX attacks

Computerworld - A former Barclays Bank programmer who helped launder money for the mastermind behind the data thefts at TJX Companies Inc. and other retailers was sentenced to four years in prison by a federal court in Boston on Thursday.

Humza Zaman, 33, was also ordered to pay a fine of $75,000 and will be under three years of court supervision upon his release.

Zaman last April had pleaded guilty to a one-count indictment charging him with a litany of offenses, including money laundering, unlawful access to computers, identity theft and wire fraud. Zaman's sentence is due to begin on April 12.

Court papers said Zaman helped Albert Gonzalez, the leader of the criminal gang behind the TJX attacks, launder $600,000 to $800,000 in stolen money. Zaman is believed to have received about 10% of the total for his effort.

Gonzalez was one of 11 individuals arrested in August 2008 in connection with the massive data thefts at TJX, BJ's Wholesale Clubs Inc. and numerous other retailers. In all, Gonzalez and his gang are believed responsible for stealing data more than 130 million credit and debit cards over a six-year period going back to 2003.

Gonzalez, who is from Miami, last year pleaded guilty to his role in the attacks and is awaiting sentencing. Under the terms of a plea agreement with federal prosecutors, Gonzalez will receive a minimum sentence of 17 years in prison.

According to court papers, Zaman's role in the operation was limited to helping Gonzalez repatriate proceeds from the sale and use of stolen credit card data. Gonzalez would often have money sent to a bank account in Latvia, and Zaman would arrange to have the money sent back to the U.S.

At one time, for example, Zaman used ATM cards linked to several fictitious accounts to withdraw more than $38,000 from Gonzalez's Latvian bank account. He then sent the money to Gonzalez, after keeping a 10% cut. Zaman also traveled from New York to California on multiple occasions to meet with an individual who would give him between $100,000 and $250,000 in cash. After taking his cut, Zaman would put the money in Federal Express boxes and ship it to Gonzalez using a fictitious name, the court papers said.

In March 2008, Zaman, who was working at Barclays at the time, sent a copy of the bank's ATM transaction log to Gonzalez to see if it would be of any value to his gang. That data, however, appears never to have been used by the gang, the court papers noted.

In recommending a 46-month sentence for his actions, prosecutors noted that Zaman "incontrovertibly knew that Gonzalez was a major hacker who profited handsomely from identity theft from major corporations." However, there is no evidence to show that Zaman participated in any of the intrusions or knew of their scope.

In a presentencing memo, prosecutors described Zaman as an individual with a normal childhood who read a lot, had a lot of friends and was a member of numerous after-school clubs. Between 1999 and the time of his arrest in March 2009, Zaman progressed through a "series of jobs with increasing responsibility" and saw his annual salary increase from $30,000 to more than $130,000 plus bonuses. However, a lifestyle characterized by partying and the use of expensive recreational drugs meant that Zaman "needed cash beyond his six-figure legitimate income," the memo noted.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

Read more about Security in Computerworld's Security Topic Center.