Six people have been arrested in the US in connection with fraud using credit card data stolen from discount clothing giant TJX, owner of the TK Maxx chain in the UK.
Fraud using the stolen data is so far estimated to have cost banks and retailers more than £4m.
In January, TJX disclosed that a security breach had led to the theft of credit card data from an unknown number of customers. Credit and debit card holders in the UK, Ireland, the US, Canada and Puerto Rico may have been affected by the theft.
The retailer said an “unauthorised intruder” had gained access to its systems in mid-December.
Police and officials from the Florida Department of Law Enforcement have taken six people into custody for allegedly using the TJX customer data to purchase large quantities of gift vouchers from discount chains Wal-Mart and Sam's Club.
The arrests mark the first crime to be linked to the TJX data theft, although banks have previously reported that accounts held by consumers affected by the incident had been used in attempted fraud around the globe.
Florida law enforcement officials confirmed that they initially reported the fraud cases to TJX in November 2006. The retail chain began informing customers of the data breach two months later.
The alleged fraudsters were reported by Florida law enforcement officials to have been travelling around the state buying large quantities of Wal-Mart gift vouchers, using the stolen credit card accounts, and then redeeming the vouchers at other locations. Among the items purchased by the scammers were computers, gaming devices, and big-screen TVs.
Wal-Mart and the banks that issued the credit cards have lost more than £4m, and Florida officials said losses are still being calculated.
The six people arrested have been charged with organised scheme to defraud, with bail set at $1m (£500,000) each.
Law enforcement officials have also issued warrants for the arrest of four other people believed to be involved in the scheme.
TJX has refused to reveal how many customers may be affected by the December data theft, but has said that most of the data involved is related to people who shopped at its stores in the US, Canada, and Puerto Rico during 2003, and between May and December 2006.
Last month, TJX said it had discovered a new set of IT systems intrusions that exposed personally identifiable customer information. It now believes that intruders infiltrated its databases repeatedly during 2005 in addition to the security breach it admitted in January.
Reports of crime connected to the TJX data theft first surfaced in the US on 24 January, when the Massachusetts Bankers Association reported that several banks in the state had observed instances of fraud specifically related to the accounts of consumers involved in the TJX incident.
The banking association said it had received reports of criminal activity carried out using exposed debit and credit card accounts in the US, Hong Kong and Sweden.
Find your next job with computerworld UK jobs