A Turkish court has sentenced a hacker to 30 years in prison for his role in the theft of 45 million identities from credit card transactions by nine US retailers including TJX.
Ukrainian Maksym Yastremskiy was among 11 people charged by US authorities in August 2008 in connection with the biggest identity theft to date.
The length of the sentence is significant and should make hackers consider whether cybercrime is worth the risk, said Graham Cluley, senior technology consultant at security firm Sophos.
The 25-year-old hacker, believed to be responsible for losses of up to tens of millions of dollars worldwide, was arrested in Turkey in July 2007 in a secret services operation.
"There are more and more convictions happening all the time and authorities are getting better than ever at co-operating at an international level," said Cluley.
Yastremskiy was charged last year with trafficking in unauthorised access devices, identity theft, aggravated identity theft and money laundering.
The gang used laptops to hack into unprotected wireless networks to steal credit card transaction details from TJX and other stores.
The stolen identities were then used to withdraw tens of thousands of dollars at a time from bank automatic teller machines.
TJX, which owns UK retailer TJ Maxx, announced the theft of the account details in 2007 and has since paid millions in compensation to the customers and banks affected.