TJX Cos. Inc. said a data security breach discovered in December was more extensive that originally estimated.
The Framingham, Mass., retailer, which owns the TJ Maxx brand, said Wednesday that intrusions on its computer system started as early as July 2005. Earlier it had said the intrusions began in May of last year.
The breach included data on credit and debit card purchases at TJX stores in the United States, Puerto Rico, and Canada, including transactions from January 2003 to June 2004.
No debit cards issued by Canadian banks were affected, the retailer said.
Some card information from September 2003 to June 2004 was masked when the transaction took place, TJX said.
More driver's license numbers were compromised than initially thought, TJX said; it collects license numbers for items that are returned without receipts.
The compromised numbers were taken in the last four months of 2003 and in May and June of 2004 at TJ Maxx, Marshalls, and HomeGoods stores in the United States and Puerto Rico, the retailer said.
The incident has prompted Massachussets lawmakers to consider a bill to make merchants liable for reimbursing banks for expenses incurred to recover from such data security breaches.
