It seems the damage, which led some customers to cancel or change their credit and debit card numbers, was worse than originally reported.
TJ Maxx said in January that it believed the intrusion only took place from May 2006 to January 2007, but the company said today in a statement its computer system was compromised in July 2005 and other dates in that year.
In another new development, the company now believes that information regarding portions of the credit and debit card transactions at its U.S., Puerto Rican and Canadian stores (excluding debit card transactions with cards issued by Canadian banks) from January 2003 through June 2004 was compromised.
Also, for most of the transactions from September 2003 through June 2004, some of the card information was masked at the time of the transaction, making that portion unavailable to the intruder.
TJ Maxx also said that customer names and addresses were not included with the credit and debit card data believed to have been compromised.
"We are working with leading computer security firms to investigate the problem and enhance our computer security in order to protect our customers' data," TJX Companies President and CEO Carol Meyrowitz said in a letter on the company's Web site today.
"We are dedicating significant resources to evaluate the issue. Given the nature of the breach, the size and international scope of our operations and the complexity of the way credit card transactions are processed, the evaluation is, by necessity, taking time."
Andrew Jaquith, a security analyst with the Yankee Group, told internetnews.com the only good news for TJ Maxx is that "it will be someone else next month."
Jaquith, who credited TJ Maxx for reporting the new findings right away, said a lot of companies are struggling with these kind of security issues.
"Personally identifiable or non-public information is the asbestos of 2006 and 2007," said Jaquith. "A lot of places we like to frequent have it and all of a sudden we find it's toxic."
And just like asbestos, he said the process of cleaning up and securing confidential data online is going to be a long, expensive process.
"There is no silver bullet, but one of the key points I make to companies is to ask what information they are keeping about their customers. If they don't know, that's a problem right there," said Jaquith.
He added that in a lot of instances, companies are collecting customer data they don't need, like Social Security and license numbers.
He suggested that if such background info is necessary from a security point of view at time of purchase, companies still make the mistake of hanging onto the data for too long.