"People with your gifts often find themselves dealing obsessively with computers," he said, adding that Gonzalez misapplied his abilities, and that while "the perception is that there's no harm if you don't see the people," the judge had heard from some of those affected in victim impact statements. He was especially taken by an elderly couple whose lives were badly disrupted when their private information was obtained through hacking into the Hannaford system. And so it was his duty, Judge Woodlock said, to address the issue of deterrence and to impose a sentence that would send a message to other cybercriminals and would-be cybercriminals.

"You're going to lose the middle part of your life because of this," he told Gonzalez. "You're in your middle 20s, you'll be in your middle 40s when you get out. You'll feel that. ... This is real time. And it's meant to deliver a message to others."

That wasn't the only message the judge delivered.

In a major twist to the case -- and all three cases have been full of twists and turns -- the sentencing hearing opened with Judge Woodlock taking up issues related to sealed court documents in the case dealing with two unnamed payment-processing companies whose security systems Gonzalez breached, also by SQL injection attacks, and planted malware on in November of 2007. Those companies -- referred to in documents and in court Friday as "Company A" and "Company B" -- sought protective orders under the Massachusetts law that protects victims' rights.

The DOJ had agreed when the indictments were prepared that the companies would remain unnamed because neither one has publicly disclosed the breaches. Attorneys for the companies each argued -- unconvincingly as it turned out -- that because no customer data was stolen or ever used by criminals that they had no legal obligation to make the breaches known. They further argued that the companies they represent have a right to privacy.