The TJX Companies has disclosed that at least 45.7m of its customer records were stolen from databases in 2005 and 2006, but said that nearly three-quarters of them couldn't be used by the hackers.

In its annual report, filed with the Securities and Exchange Commission yesterday (28 March), the company provided the first specific numbers about the investigation into the card fraud discovered in mid-December and first disclosed in mid-January.

Emphasising that it had not yet uncovered the total extent of the theft, and possibly might not ever be able to, Framingham, Massachusetts-based TJX said that a total of 45.7m credit and debit card numbers were stolen and that another 455,000 customer records were obtained based on data entered into its system about merchandise returned to it without receipts.

However, the overwhelming majority of these records were either for expired cards or for accounts that were entered into its system in encrypted form, meaning that asterisks substituted for numbers.

But based on its research so far, conducted in tandem with law enforcement officials as well as General Dynamics Corp and International Business Machines Corp, at least 11.6m records, or about 24.4% of the total uncovered so far, were obtained illegally from valid accounts with no encryption of customer information.

The "computer intrusions" took place beginning in July 2005 and on subsequent dates that year as well as from mid-May 2006 until the mid-January of this year, but TJX doesn't believe that customer data were compromised after 18 December 2006, the date on which it discovered unauthorised software on its computers.

TJX reiterated its belief that no transactions involving Bob's Stores were accessed, but indicated that customer data involving its TJ Maxx, Marshalls, HomeGoods and AJ Wright divisions in the US and Puerto Rico, from its Winners and HomeSense chains in Canada and from its TK Maxx operation in the UK and Ireland may be at risk.

Last week, six people in Florida were arrested and charged with using payment card information stolen from TJX to buy approximately US$1m of merchandise with gift cards.

In response to lawsuits brought against the company in the wake of the credit scam, and an investigation into it and what some deemed to be a delayed disclosure of the problem, TJX stated in its annual report, "We are vigorously defending the litigation and claims asserted against us with respect to the computer intrusion."

An employee of TJX told just-style that no mention of the computer hacking incidents was made during a conference call with Carol Meyrowitz, chief executive officer, earlier in the week.