After more than two months of refusing to reveal the size and scope of the high-profile intrusion into its systems, The TJX Companies finally disclosed details about the extent of the compromise.
In filings with the US Securities and Exchange Commission, the company said 45.6 million credit and debit card numbers were stolen from two of its systems over a period of more than 18 months by an unknown number of intruders.
That total eclipses the 40 million records compromised in the mid-2005 breach at the former CardSystems Solutions, and makes the TJX incident the worst publicly disclosed compromise involving the loss of personal card data.
Personal data provided in connection with the return of merchandise without receipts by about 451,000 people in 2003 was also stolen, the filing said.
Gartner analyst, Avivah Litan, expressed surprise at the scope of the breach. "I had heard rumours that it was bigger than CardSystems, but I was still somewhat shocked it was actually this big," he said.
"It proves there are very sophisticated cyber-criminals out there who have the potential to wreak havoc on pure-payment systems. If this isn't a wake-up call for stronger card and payment system security, I'm not sure what is."
In its filing, TJX said it was in the process of contacting individuals affected by the breach.
"Given the scale and geographic scope of our business and computer systems and the time frames involved in the computer intrusion, our investigation has required a substantial period of time to date and is not completed," the company said.