The first arrests in connection with the recently disclosed breach at Heartland Payment Systems Inc. have been made.

The Leon County, Florida Sheriff’s office earlier this week announced the arrests of three area residents — Tony Acreus, Jeremy Frazier and Timothy Johns — for allegedly using stolen credit card numbers associated with the breach.

The arrests followed a three-month investigation of a major stolen credit card ring by the sheriff’s office, the Tallahassee Police Department and the U.S. Secret Service. BankInfoSecurity.com first reported the arrests, and said that the number of financial institutions affected by the breach now stands at more than 220.

A statement from the Leon County Sheriff’s office said the three men were arrested after being caught using stolen credit card numbers to make fraudulent purchases at local Wal-Mart stores. The three apparently used card information stolen from Heartland to “electronically encode Visa Gift Cards,” which they would then use to purchase goods from retailers, the statement said. The goods were then sold for cash.

The combined amount of actual and attempted fraudulent transactions by the three exceeded $100,000, the sheriff’s office said, adding that the investigation is ongoing and could result in additional charges and arrests.

Heartland is a Princeton, N.J.-based firm that processes payment card transactions for more than 250,000 merchants. On Jan. 20, it disclosed that unknown intruders had broken into its networks last year and stolen payment card transaction data. Although Heartland didn’t disclose the number of card accounts that were compromised, outside estimates from analysts and people within the payment industry pegged the number at more than 100 million. That would make it by far the biggest payment card breach to date, surpassing the 45.6 million card numbers that The TJX Companies Inc.said were stolen in a breach disclosed in January 2007.

The list of financial institutions affected by the Heartland breach now includes those in more than 40 U.S. states as well as banks in Bermuda, Canada and Guam, according to BankInfoSecurity.com.

The Heartland breach has already led to a class-action lawsuit against the company by law firm Chimicles & Tikellis LLP in Haverford, Pa., on behalf of a resident of Woodbury, Minn., and others who might have been affected by the data compromise.

In addition, the Washington Credit Union League in Federal Way, Wash., is pushing state legislators there to revive legislation that would mandate specific data protection controls on all merchants and third parties that process payment card data. The bill received its first hearing before a committee in the Washington House of Representatives soon after the breach disclosure, according to a statement by the WCUL.