Hackers have stolen information from at least 45.7 million payment cards used by customers of US retailer TJX, which owns TJ Maxx, and UK outlet TKMaxx.
Hackers have stolen information from at least 45.7 million payment cards used by customers of US retailer TJX, which owns TJ Maxx, and UK outlet TKMaxx.
In a statement to US watchdogs the firm said it did not know the full extent of the theft and its effect on customers.
In a statement to US watchdogs the firm said it did not know the full extent of the theft and its effect on customers.
TJX added that the security breach may also have involved TKMaxx customers in the UK and Ireland.
TJX added that the security breach may also have involved TKMaxx customers in the UK and Ireland.
But the company added that at least three-quarters of the affected cards had expired or data had been masked.
But the company added that at least three-quarters of the affected cards had expired or data had been masked.
Question marks
Question marks
The company also told the BBC that 100 files were moved from its UK computer system in 2003, and two files were later stolen.
The company also told the BBC that 100 files were moved from its UK computer system in 2003, and two files were later stolen.
TJX HACKING TIMELINE 18 December 2006 - TJX discovers the breach in securityWithin days it hires outside investigators and notifies US federal authorities19 January 2007 - Publicly admits the problem, but not the full extent29 January 2007 - Reveals the full nature of the breachSays data was first hacked in July 2005Stolen bank card details date back to December 2002
However, a spokesperson admitted that the firm may never know what was in those files.
However, a spokesperson admitted that the firm may never know what was in those files.
"We don't know what was in those files - the technology the hacker used prevents TJX from knowing, and also the fact that TJX system routinely deletes files," the spokesperson added.
"We don't know what was in those files - the technology the hacker used prevents TJX from knowing, and also the fact that TJX system routinely deletes files," the spokesperson added.
The data was accessed on TJX's systems in Watford, Hertfordshire, and Massachusetts over a 16-month period from July 2005 and covers transactions made by credit and debit card dating as far back as December 2002.
The data was accessed on TJX's systems in Watford, Hertfordshire, and Massachusetts over a 16-month period from July 2005 and covers transactions made by credit and debit card dating as far back as December 2002.
Sandra Quinn from the Association of Payment Clearing Services (Apacs) told the BBC there had been a "massive" compromise of security - on a scale not seen before.
Sandra Quinn from the Association of Payment Clearing Services (Apacs) told the BBC there had been a "massive" compromise of security - on a scale not seen before.
We are deeply concerned about this event and the difficulties it may cause our customers Ben Cammarata, TJX
However, she said that that for most people, the card details stolen would no longer be relevant.
However, she said that that for most people, the card details stolen would no longer be relevant.
"If they were doing transactions with TK Maxx between those dates they will generally now have a brand new credit or debit card in their wallet, so they can be sure that it will be the old details of their card that has been compromised, not their current card."
"If they were doing transactions with TK Maxx between those dates they will generally now have a brand new credit or debit card in their wallet, so they can be sure that it will be the old details of their card that has been compromised, not their current card."
Customers who discovered they had been victims of fraud, would be able to get money back from their banks, she added.
Customers who discovered they had been victims of fraud, would be able to get money back from their banks, she added.
Chip and pin
Chip and pin
We are deeply concerned about this event and the difficulties it may cause our customers Ben Cammarata, TJX
The company, which discovered the problem three months ago and reported it two months ago, said that a lot of questions remained about the attack.
The company, which discovered the problem three months ago and reported it two months ago, said that a lot of questions remained about the attack.
"There is a lot of information we don't know, and may never be able to know, which is why this investigation has been so laborious," spokeswoman Sherry Lang said.
"There is a lot of information we don't know, and may never be able to know, which is why this investigation has been so laborious," spokeswoman Sherry Lang said.
In its filing to the Securities and Exchange Commission (SEC) the group said it believed "the intruder had access to the decryption tool for the encryption software utilized by TJX".
In its filing to the Securities and Exchange Commission (SEC) the group said it believed "the intruder had access to the decryption tool for the encryption software utilized by TJX".
It also admitted it did not know who, or how many people, were behind the attack, or whether there had been one breach or many.
It also admitted it did not know who, or how many people, were behind the attack, or whether there had been one breach or many.
The papers also said that a further 455,000 customers who returned merchandise without receipts had personal data stolen - including driver's licence numbers.
The papers also said that a further 455,000 customers who returned merchandise without receipts had personal data stolen - including driver's licence numbers.
However, the firm does not believe return customers at its UK stores were affected - or that chip and pin data in the UK was accessed as none is stored on the systems in Watford.
However, the firm does not believe return customers at its UK stores were affected - or that chip and pin data in the UK was accessed as none is stored on the systems in Watford.
The company warned many of its operations could be affected.
The company warned many of its operations could be affected.
Hackers managed to access information from its TJ Maxx, Marshalls and HomeGoods shops in the US and Puerto Rico, Bob's Stores in the US, and Winners and HomeSense shops in Canada.
Hackers managed to access information from its TJ Maxx, Marshalls and HomeGoods shops in the US and Puerto Rico, Bob's Stores in the US, and Winners and HomeSense shops in Canada.
Ben Cammarata, TJX chairman and acting chief executive, urged customers to check their credit and debit cards statements and any other account information for unauthorised use.
Ben Cammarata, TJX chairman and acting chief executive, urged customers to check their credit and debit cards statements and any other account information for unauthorised use.
"We are deeply concerned about this event and the difficulties it may cause our customers," he added.
"We are deeply concerned about this event and the difficulties it may cause our customers," he added.
"Since discovering the crime, we have been working diligently to further protect our customers and strengthen the security of our computer systems."
"Since discovering the crime, we have been working diligently to further protect our customers and strengthen the security of our computer systems."
Have you used your credit or debit card in TKMaxx? Are you worried that your details might have been stolen? Should more be done to protect your card details? Send us your comments using the form below:
Have you used your credit or debit card in TKMaxx? Are you worried that your details might have been stolen? Should more be done to protect your card details? Send us your comments using the form below: