The remaining individual is known only by an alias and authorities do not know where that person is.
Under the indictments, three Miami, Florida, men -- Albert "Segvec" Gonzalez, Christopher Scott and Damon Patrick Toey -- are accused of hacking into the wireless computer networks of retailers including TJX Companies, whose stores include Marshall's and T.J. Maxx, BJ's Wholesale Club, OfficeMax, Barnes and Noble and Sports Authority, among others.
The three men installed "sniffer" programs designed to capture credit card numbers, passwords and account information as they moved through the retailers' card processing networks, said Michael Sullivan, the U.S. attorney in Boston.
"This has other personal numbers that could give them access to credit or debit cards that have already been issued and are active," Sullivan told CNN. iReport.com: Have you been a victim of identity theft?
The probe began in late 2006, Sullivan said. In addition to the Justice Department, the Secret Service has been conducting an undercover investigation for more than three years through the U.S. attorney's office in San Diego, he said.
The three then concealed the data in encrypted computer servers they controlled in the United States and eastern Europe, the Justice Department said.
Some credit and debit card numbers were sold on the Internet, and were "cashed out" by encoding the numbers on the magnetic strips of blank cards. "The defendants then used these cards to withdraw tens of thousands of dollars at a time from ATMs," authorities said.
Gonzalez and the others used anonymous Internet-based currencies to conceal and launder their proceeds, as well as channeling funds through bank accounts in Eastern Europe, the department said.
"There are ties between all three districts and ties internationally that go all the way to the Ukraine and Latvia," Sullivan said. "The 41 million credit and debit numbers were used internationally."