In addition, the company said credit and debit card transactions completed between January 2003 and June 2004 at its U.S., Puerto Rican and Canadian outlets were compromised. TJX previously reported that the data was "potentially" accessed.
The company also said it has discovered evidence that the portion of its network that processes T.K. Maxx transactions may have also been hacked. T.K. Maxx stores are located in the U.K. and Ireland.
While some criticised TJX for failing to initially report the extent of the breach, customers should give the company a pass, said Miriam Wugmeister, head of the privacy and data security practice at Morrison and Foerster law firm in New York.
"It can be very difficult for organisations to quickly assess how much information has been compromised," she told SCMagazine.com today. "Sometimes, accurate information is equally important."
TJX still has not revealed how many customers have been affected, although industry experts suspect millions could be impacted.
"With the help of computer security experts, we have strengthened the security of our computer systems, and we believe customers should feel safe shopping our stores," Carol Meyrowitz, the company’s president and CEO, said Wednesday in a letter to customers.
"We value the trust our customers place in us and again, I’d like you to know that we sincerely apologise for any difficulties you may have caused."
The announcement comes as Massachusetts state representative introduced a first-of-its-kind bill that would force retailers such as TJX to compensate victims for losses when hackers breach their systems and steal private data.
As it stands now, in Massachusetts and in other states, banks are left covering the fraudulent losses. This bill would mandate that organisations doing business in Massachusetts take financial accountability for freezing credit card accounts.
TJX operates 821 T.J. Maxx outlets and 748 Marshalls stores and also owns HomeGoods, A.J. Wright and Bob’s Stores in the United States.