"You're going to lose the middle part of your life because of this," he told Gonzalez. "You're in your middle 20s, you'll be in your middle 40s when you get out. You'll feel that. ... This is real time. And it's meant to deliver a message to others."
That wasn't the only message the judge delivered. In a major twist to the case -- and all three cases have been full of twists and turns -- the sentencing hearing opened with Judge Woodlock taking up issues related to sealed court documents in the case dealing with two unnamed payment-processing companies whose security systems Gonzalez breached, also by SQL injection attacks, and planted malware on in November of 2007.
Those companies -- referred to in documents and in court Friday as "Company A" and "Company B" -- sought protective orders under the Massachusetts law that protects victims' rights.
The DOJ had agreed when the indictments were prepared that the companies would remain unnamed because neither one has publicly disclosed the breaches. Attorneys for the companies each argued -- unconvincingly as it turned out -- that because no customer data was stolen or ever used by criminals that they had no legal obligation to make the breaches known. They further argued that the companies they represent have a right to privacy.
Judge Woodlock clearly was not buying that argument from the get-go, declaring outright that in his view companies have no such right even though such notions are "in the air these days."
He made obvious references to a recent controversial U.S. Supreme Court ruling that said otherwise when it comes to corporate rights. But at least in Judge Woodlock's courtroom, such rights will not be conferred -- he intends to unseal the court documents and therefore publicly name the two companies because shareholders and customers have a right to know that their security systems were, even if they are not now, vulnerable.
He also was not moved by the argument that the breaches occurred long enough ago that it's no longer relevant to let customers know that they occurred. "They've had three years to alert their shareholding public -- they've chosen not to, improvidently," he said.
The two companies will not be part of whatever restitution agreement is reached in the case because they did not suffer financial losses. The matter of restitution was not taken up by Judge Woodlock and will be combined with restitution in the cases before Judge Saris.
Exactly how much financial damage was done may never be fully known, but the effects on companies involved were severe enough to warrant filings with the U.S. Securities and Exchange Commission.
And Heartland, for instance, says it lost nearly $130 million because of the security breaches. Heartland agreed to multimillion-dollar settlements with Visa and American Express for damages incurred by those companies in the thefts, which set off a reappraisal of corporate network security overall and prompted widespread changes as businesses sought to shore up security.
As Heymann noted, the efforts of Gonzalez's hacking ring also led the companies involved on a wild chase to close back doors and other entry points that the hackers exploited to access systems, which cost them yet more money.
A restitution hearing was set by Judge Saris for June 25.
And while the companies involved will be engaged in figuring out what to tell the court about how much they lost financially, the loss for Gonzalez's family was evident in the courtroom Thursday and Friday. His parents and sister attended the hearings -- he sought them out when he entered the courtoom to offer them a smile, and Friday as he was led out, as they wiped tears away, he mouthed a "good-bye" to them.