While the company has refused to reveal how many customers may be affected by the incident, TJX officials have confirmed that a majority of the data involved is related to people who shopped at its stores in the United States, Canada and Puerto Rico during 2003, and between May and December 2006.

On Feb. 21, TJX announced that it had discovered a new set of IT systems intrusions that exposed the personally identifiable information of its customers. Company officials said that in addition to the IT systems break-ins it detailed in January, it now believes that intruders infiltrated its databases repeatedly during 2005.

Reports of crime connected to the TJX data theft first surfaced on Jan. 24, when the Massachusetts Bankers Association reported that several banks in the state had observed instances of fraud specifically related to the accounts of consumers involved in the TJX incident.

The industry group said at the time that it had received reports of criminal activity carried out via debit and credit card accounts exposed in the heist in locations including Florida, Georgia and Louisiana in the United States, as well as in Hong Kong and Sweden overseas.

When TJX first reported the incident in January, company officials said they had become aware of the data theft in late 2006 but waited to begin informing customers of the breach in deference to ongoing law enforcement investigations, including those being carried out by the U.S. Department of Justice and U.S. Secret Service.

The Massachusetts Bankers Association, among others, publicly criticized the company for not moving to disclose the incident faster.

Over the past two years, more than 30 U.S. states have adopted new laws that establish more rigid guidelines for the reporting of consumer data exposure. A bill under consideration in Massachusetts would require organizations to inform consumers within five business days after a breach affecting their data is detected.