A Florida man, the ringleader of a group that used financial information stolen from TJX customers for fraudulent purchases, was sentenced this week to five years in prison and ordered to pay $600,000 in restitution.

Irving Escobar, 19, of Miami, pleaded guilty to charges that he used fake credit cards layered with information stolen in the notorious data breach to buy approximately $3 million in goods and gift cards.

Escobar was one of six people arrested in March for participating in the credit card fraud ring. The group was accused of traveling around Florida purchasing large amounts of gift cards – mostly at Wal-Mart and Sam's Club stores – with the stolen information.

The arrests were the result of a joint investigation conducted by the Gainesville (Fla.) Police Department and the Florida Department of Law Enforcement.

Co-defendants Dianelly Hernandez, Julio Alberti, Reinier Alvarez, and Zenia Llorente pleaded guilty in August and were sentenced to probation, according to Florida Attorney General Bill McCollum. Nair Alvarez, Escobar's mother, also pleaded guilty and was deported to Venezuela.

Mary Monahan, a partner with Javelin Strategy and Research, told SCMagazineUS.com today that she hopes Escobar's sentencing will be followed by the arrests of the individuals responsible for the breach itself.

“It's a good sentence. He's the ringleader for the group down in Florida, and everyone else got probation," she said. “The thing is that he's actually a small fish. He's 19 years old, and somebody supplied him with those credit card numbers, and hopefully they can get that person.

A TJX spokesperson could not immediately be reached for comment.

Law enforcement authorities said last month they were hopeful that the arrest of Ukrainian national Maksym Yastremskiy, 24, would lead them to the hackers responsible for the TJX breach that compromised the credit card information of about 45 million people.

Yastremskiy was trafficking more than a million credit card numbers and likely had close ties to the intruders, Greg Crabb, an agent with the U.S. Postal Inspection Service's global investigations unit, said last month. Yastremskiy is believed to have sold the credit card numbers for between $20 and $100 a piece.

Gartner analyst Avivah Litan told SCMagazineUS.com last month that law enforcement authorities have told her the intruders are difficult to apprehend because they are based overseas.

The TJX breach was the result of a scheme that began in 2005 when intruders used a “telephone-shaped antenna” and laptop to decode data moving among Marshalls store scanning devices, cash registers and PCs that were using wireless LAN connectivity, according to numerous published reports. The hackers may have ciphered data for up to two years.

TJX, the parent company of TJ Maxx, Marshalls and other discount retailers, has begun to feel the financial ramifications of the breach. The Framingham, Mass.-based chain's second quarter income fell sharply this year, from $138 million during its second quarter in 2006 to $59 million in the same period this year. The freefall has been attributed to an after-tax second-quarter charge of $118 million related to the breach.

That amount is comprised of $11 million for costs incurred during the quarter and $107 million in reserve funds to be used in the future for “probable losses,” according to Securities and Exchange Commission filings.