Fraudsters who hacked the computer systems at US retailer TJX managed to steal more than 45.7 million credit and debit card numbers over a period of more than 18 months, making it the biggest breach of personal data ever.
In addition personal data provided in connection with the return of merchandise without receipts by about 451,000 individuals in 2003 was also stolen.
The retailer revealed on 17 January that the computer system it uses to process and store information related to customer transactions had been hacked, potentially exposing millions of customers' credit and debit card numbers, as well as driver's licence information.
In an SEC filing TJX says it first detected the suspect software on 18 December last year but believes its systems were first accessed in July 2005 and on subsequent dates in 2005 and from mid-May 2006 to mid-January 2007, although no customer data was stolen after 18th December.
Hackers placed unauthorised software on TJX's computer network and stole at least 100 files containing data on millions of accounts from systems in Framingham, Massachusetts and Watford in the UK.
These systems are used to process and store transaction information. TJX also believes the technology used by hackers in 2006 could have enabled them to steal card data from the Watford system during the payment process, when data is transmitted to the card issuer without encryption.
But even data that was encrypted may have been compromised as TJX believes the hackers may have had access to its decryption tool.
The scale of the TJX breach eclipses the compromise at Cardsystems in 2005 the exposed more than 40 million credit cards to hackers, which was previously the largest known compromise of financial data.
Last month the office of the Massachusetts Attorney General said it was leading a multi-state civil investigation into the TJX security breach. Lawmakers in the state are considering introducing a bill that would make retailers liable for any costs and losses incurred as a result of a security breach.
TJX says the incident has already cost $5 million, although it says it can't currently estimate total losses.
Debit and credit card data exposed in the compromise is thought to have been used to make fraudulent purchases in Florida, Georgia and Louisiana in the US, as well as in Hong Kong and Sweden.