Data stolen from TJX, the parent of T.J. Maxx and other retailers, has surfaced in Florida, where thieves used it to steal $8 million in merchandise from Wal-Mart stores. The thieves created fake credit cards that they used to buy Wal-Mart and Sam's Club gift cards, and then used those to buy goods in stores in 50 Florida counties, according to the Florida Department of Law Enforcement.

The ring was uncovered after Wal-Mart employees became suspicious of shoppers using multiple gift cards--many of them worth $400--to pay for purchases. Gift cards of $500 or more require customers to show ID. "They knew enough to go through the area of least resistance," says Dominick Pape, the special agent in charge of the case. Law enforcement tracked suspects from transaction records and video footage, arresting six and issuing warrants for four.

The intrusion that started the chain of events likely took place in July 2005. Documents sent by Visa to credit card issuers indicate TJX was storing credit and debit card data in violation of the security standard developed by Visa and MasterCard.

Arkansas Carpenters Pension Fund, which owns 4,500 TJX shares, last week sued TJX to get records showing how it handled computer problems that exposed customer data.