Hackers stole the bank card details of millions of British and American shoppers in what is thought to be the world’s biggest ever credit card heist.
The crooks extracted at least 45.7 million credit and debit card numbers from the US and UK-based computer systems of the American retailer that owns bargain chain TK Maxx.
Banks and card companies have already found "preliminary evidence" of fraud using the data stolen from TJX, and law enforcement authorities are investigating possible cases.
The numbers were accessed on the company’s systems in Watford, Herts, and Framingham, Massachusetts, over a 17-month period and cover transactions dating as far back as December 2002.
The firm did not know how many of the cardholders affected
were shoppers at TK Maxx’s 210 stores in Britain and Ireland, although more of them were likely to be American.
Nor could a spokeswoman say whether any of the reports of possible fraud came from UK police.
The firm does not know who the intruders were, or how many people were part of the scam.
Two computer files out of 100 the hackers took from the Framingham system last year had apparently been moved from Watford.
But TJX, which has set up a UK helpline for concerned customers and is advising them to scrutinise their bank statements, cannot tell what card data they contained, and there may be more as yet undiscovered.
Even if the information was encrypted or masked, the technology the thieves used could have decrypted it, and they may also have stolen the numbers during the card issuer’s approval process - when it is not encrypted anyway.
"We don’t know what was in them, because of the software used in the intrusion and the deletions that we do ourselves in the normal course of business," TJX spokeswoman Sherry Lang said.
"We don’t know if we will be able to identify what was in them.
"The two files are what we have identified to date from Watford."
The case easily eclipses the largest single loss of consumer data previously reported, when just over 40 million CardSystems Solutions records were compromised in 2005.
In Britain Scotland Yard and the Information Commissioner’s Office were informed after the TJX theft was uncovred.
The FBI, the US Secret Service and state law enforcement agencies are all investigating in America, where the company has around 2,000 TJ Maxx, Marshalls, HomeGoods and AJ Wright stores.
Last week police charged six people in Florida with using credit card numbers that investigators believe were stolen from a TJX database to buy about a million dollars (#500,000) worth of electronics and jewellery with Wal-Mart gift vouchers.
Detectives have said they believe the suspects were not the actual hackers but had bought the card numbers from someone else.
Ms Lang stressed that about three-quarters of all the cards involved in the heist had either expired at the time of the theft, or had data from their magnetic strips masked.
But the hackers also accessed TJX’s encryption software, so they could have known how to unscramble information they stole.
They first accessed the company’s systems in July 2005 and on subsequent dates that year, and from mid-May last year to mid-January this year.
No customer data was stolen after December 18, when the retailer first discovered suspicious software on its system.
It revealed in January that it suspected numbers had been accessed, but has only now provided details of the full scale of the theft.
As well as card numbers, personal information provided by around 455,000 American customers who returned goods without a receipt was also stolen.
In a filing to the US Securities and Exchange Commission, the firm said details from 45.6 million cards relating to transactions between December 2002 and November 2003
Another 132,000 have been identified but TJX does not know how much data was taken in later periods because it deleted the information "in the ordinary course of business" before the breach was discovered.
Customers’ names and addresses were not stored on the systems with the card numbers, and it is not thought PIN numbers could have been accessed.
TJX is already facing an investigation by the Federal Trade Commission and lawsuits from individuals and banks accusing it of failing to do enough to safeguard private data.
Scotland Yard said any British criminal investigation would fall under the jurisdiction of Hertfordshire Police.
No one was available to comment at the force last night.
TJX said security had been tightened on its computer systems and customers should feel safe shopping in its stores.
It is also the parent company of Winners and HomeSense in Canada.