Information from at least 45.7 million credit and debit cards was stolen by hackers who accessed TJX's customer information in a security breach that the discount retailer disclosed more than two months ago.
TJX , the owner of about 2,500 stores, said in a regulatory filing late Wednesday that about three-quarters of those cards had either expired at the time of the theft, or data from their magnetic strips had been masked -- stored as asterisks rather than numbers.
But TJX acknowledged it still knows little about the full scope of the breach, in part because the hacker or hackers accessed TJX's encryption software and could have known how to unscramble the information.
In addition, TJX deleted much of the transaction data in the normal course of business between the time of the breach and the time that TJX detected it, making it impossible to know how many total cards were affected.
'There is a lot of information we don't know, and may never be able to know, which is why this investigation has been so laborious,' TJX spokeswoman Sherry Lang said on Thursday.
The company provided an update of its investigation in a regulatory filing made after business hours Wednesday.
TJX says its computer systems were first breached in July 2005 by a hacker or hackers who accessed information from customer transactions dating to January 2003. TJX says it didn't find out about the breach until about three months ago.
Information from 45.7 million cards was stolen from transactions beginning in January 2003 and ending Nov. 23 of that year, TJX said in the filing with the Securities and Exchange Commission. TJX did not give estimates of the number of cards from which information was stolen for transactions occurring from Nov. 24, 2003 to June 28, 2004.
TJX said in the filing that 'substantially all stolen data' from the latter period 'were deleted in the ordinary course of business subsequent to the believed theft but prior to discovery of computer intrusion.'
Lang said TJX was investigating why information stolen during the initial nine-month period in 2003 wasn't been routinely deleted. The filing also says, 'We believe that the intruder had access to the decryption tool for the encryption software utilized by TJX.'
The filing also said another 455,000 customers who returned merchandise without receipts had their personal data stolen, including driver's license numbers.
The filing gives the first detailed account of the breach initially disclosed in January by Framingham-based TJX, the owner of T.J. Maxx, Marshall's and other stores in North America and the United Kingdom.
The filing says the company 'does not know who took this action, and whether there were one or more intruders involved.' Also unknown is whether there was a single continuing breach, or multiple, separate intrusions.
Police charged six people in Florida last week with using credit card numbers that investigators believe were stolen from a TJX database to buy about $1 million in merchandise with gift cards. The gift cards had been purchased from Wal-Mart stores, and were used to acquire electronics and jewelry at Wal-Mart's Sam's Club warehouse stores.
TJX's Lang said Thursday that the company could not yet confirm whether the data used in those thefts originated at TJX.
Gainesville, Fla. police have said they believe the Florida suspects bought the card numbers from someone else, and weren't the TJX hackers.