Credit card thieves targeted cash and carry wholesaler Makro in the biggest ever card scam in the UK.
The case was brought by the Metropolitan Police fraud squad, and commentators said the investigation highlights a serious hole in many retailers' card-handling security.
Sunil Vishnu Mahtani, an IT worker employed by a credit card-processing company, was jailed for nine years for his part in the cloning of 100,000 credit cards. His accomplices, Shajahan Miah and Shaidul Islam Rahim, were jailed for four years each for their involvement.
BAA's Heathrow Express rail service was identified by the Met as the primary source of card details, with Makro cited as a secondary source.
According to a police report, the conspirators passed the cloned cards to a gang of Asian drug dealers based in Leicester, who purchased cigarettes abroad and sold them for profit in the UK. The gang has subsequently been apprehended and sentenced to a collective 46 years for drug trafficking.
The criminals succeeded in stealing£2 million from the cards, but the Met said that a further£20 million of cardholders' money was also at risk.
IT vendors said the case demonstrates the value of Chip and PIN initiatives, because chip cards are prohibitively difficult to clone. However, they stressed it also highlights the need for retailers to encrypt customers' credit card details as they are being processed.
'There is a need for additional security at retail-owned server-based systems,' said Retail Logic marketing director Mark McMurtrie. 'It's now possible to ensure that all card numbers are encrypted. Fraud moves to the weakest link, so the entire card-processing system needs to be protected. Many retailers are vulnerable at the moment.'
Makro is a subsidiary of the Metro retail group, based in Germany. Metro has upgraded its security since the fraudsters were caught.
Although the haul was large, it is still a drop in the ocean compared with the total defrauded through credit card cloning. APACS puts the figure for 2002 at nearly£150 million.