The TJX hack has been revealed as the biggest ever breach of personal data.
US Securities Exchange Commission filings by the firm show that 45.7m credit and debit card numbers were stolen over a period of 18 months.
The scale of the hack means it passes the Cardsystems breach in 2005, which exposed more than 40 million credit cards.
Hackers are said to have planted unauthorised software on TJX's computer network, to enable them to steal at least 100 files containing data on millions of accounts from systems in Framingham, Massachusetts and Watford in the UK.
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
TJX recently confirmed that customers of the TK Maxx chain in the UK were at risk of fraud as a result of the hack.
It is also believed that the hackers were able to crack TJX’s data encryption system, and also grab unencrypted data during the retail payment process.
TJX said the hack had so far cost it $5m (£2.63m) to deal with, although the losses are expected to go up steadily as the thieves start to cash in.
Criminals are reported to have already used the stolen card details to conduct fraud in several US states, along with Hong Kong and Sweden.