The credit card details of UK customers of TK Maxx are likely to be in the hands of data thieves. Some of the information stolen from the retailer was taken from the UK and Ireland computer system.
The TK Maxx chain of shops has had over 45 million customer credit card details stolen from it. The company cannot even say with certainty what the damage is because some of its own records have been deleted.
The shop's parent company, TJX Companies, has submitted a regulatory filing to US financial regulator the Securities and Exchange Commission (SEC). In it the company told how hackers broke into its system and stole the details of 45.7 million customers.
That filing makes it clear that UK customer details are almost certainly part of the thieves' haul. "We believe that information was stolen in the Computer Intrusion from … a portion of our computer systems in Watford, U.K. that processes and stores information related to payment card transactions at T.K. Maxx in the United Kingdom and Ireland ('Watford system')," said the filing.
The incident is already being called the biggest data breach ever and fraudulent transactions resulting from it have been logged in a number of US states, Hong Kong and Sweden.
"We suffered an unauthorized intrusion into portions of our computer systems that process and store information related to customer transactions that we believe resulted in the theft of customer data," said the filing. "We do not know who took this action and whether there were one or more intruders involved, or whether there was one continuing intrusion or multiple, separate intrusions."
TJX said that around 75% of the cards had their numbers blacked out or will have expired by now, but the firm did admit that the hackers could use decryption tools to uncover hidden numbers.
The hackers were able to steal the information because of a flaw in the TJX computer payments network. Hackers had access to data in 2005 and 2006.
TJX is unable to give exact details of all the lapses because it destroyed many of the relevant records after a fixed period of time.
Also stolen were driving licence and other personal information on a further 450,000 people. Those records are believed to belong to people who returned goods without a receipt.
TJX reported that there had been a breach in January. Customers who shopped between January 2003 and June 2004 are at risk of having had their data stolen.
The company has said that the actual number of people affected could rise even beyond 45 million.
Several states, including the tech hub of California, have a legal requirement that companies alert customers when there has been a data breach, but there is no federal law to that effect in the US.