A Miami man pled guilty last week to being part of a gang that exploited vulnerabilities in store computer networks to steal data on more than 40 million credit and debit card accounts from several major retailers.

Albert Gonzalez pled guilty to 19 federal counts of conspiracy, computer fraud, wire fraud, access device fraud and aggravated identity theft relating to hacks into such U.S. retail chains as TJX Companies, operator of TJMaxx, Marshalls and other stores; BJ’s Wholesale Club; OfficeMax; Boston Market; Barnes & Noble and Sports Authority. He also pled guilty to one count of conspiracy related to hacking of the restaurant chain Dave & Buster’s.

According to the indictments handed down last year, Gonzalez and co-conspirators who may still be at large used several techniques for breaking into store computer networks, including driving around parking lots until they found an insecure wireless connection. Once they penetrated a chain’s network they used programs to find and obtain card numbers and in some cases the four-digit PINs associated with debit cards.

The criminals sold some of the card numbers and used others to produce debit cards that they then used to withdraw cash from ATMs, the indictment says. The card data they stole enabled them to produce magnetic stripes that could be swiped through a store payment terminal, and in most cases the cards likely were used to make purchases in stores, for instance, of prepaid cards that could easily be sold, says Aviviah Litan, a security expert at research and consulting firm Gartner Inc. She estimates only 2% of the stolen cards were used to make fraudulent purchases online.

Visa and MasterCard do not make public which cards are compromised in a breach like this, so it’s impossible to know how many cards stolen from these retailers were used to commit online fraud, says Cory Siddens, senior product manager for order screening at CyberSource Corp., a provider of antifraud technology to online merchants. Because these card numbers were stolen a few years ago, it’s likely they’ve already been used to commit fraud, or the card accounts canceled, he says. He adds that online retailers should always be on the alert for signs of fraud, such as many orders coming from a single computer or customers with different names shipping to a single shipping address.