The U.S. parent of the Winners and HomeSense stores revealeddata from at least 45.7 million credit and debit cards was stolen by hackers who gained access to customer information.
TJX Cos. first disclosed the theft more than two months ago, but did not put a number on how much card data was compromised until the company made a regulatory filing Wednesday.
The retailer is the parent company of nearly 2,500 stores in Canada, the U.S. and Britain, including 184 Winners and 68 HomeSense stores in Canada.
Information from 45.7 million cards was stolen from transactions beginning in January 2003 and ending Nov. 23 of that year, TJX said in the filing with the U.S. Securities and Exchange Commission.
TJX said about three-quarters of the cards had either expired by the time of the theft or had data from their magnetic strips masked. The company said it started storing security code data in computers as asterisks rather than numbers starting in September 2003.
It gave no estimates of information stolen for transactions occurring from Nov. 24, 2003,to June 28, 2004.
Another 455,000 customers who returned merchandise without receipts also had their data stolen, including driver's licence numbers, according to the filing.
TJX deleted much of the transaction data in the normal course of business between the time of the breach and its detection, making it impossible to know how many cards were affected.
"There is a lot of information we don't know, and may never be able to know, which is why this investigation has been so laborious," TJX spokesperson Sherry Lang told the Boston Globe.
The only arrests tied to the case involve a gift card scam in which people are suspected of buying data from the TJX hackers to purchase Wal-Mart gift cards in northern Florida.
TheTJX case is believed to be the largest breach of consumer information.
Winners and HomeSense president Michael MacMillan said in February the hackers who stole information from TJX did not access information from Canadian debit cards.