TJX, the US retailer that owns the TK Maxx stores, revealed today that 45.7 million credit and debit card numbers had been stolen from its computer systems.

British and US police are investigating the theft, which took place over an 18-month period, and is believed to be the biggest card heist on record.

It affects purchases going back to December 2002, including some made by British customers at the company's 210 UK stores, for which details were stored on a system in Watford.

Read the SEC filing here.

TJX said that it did not know now many British customers had been affected, or the extent of any fraud arising out of the stolen information, but that banks with which it has contracts had indicated that they had "preliminary evidence of possible fraudulent misuse" of the card details.

The Metropolitan Police, the Information Commissioner's Office and Visa Europe have all received intelligence on the theft, which is understood to have happened in the US and involved the thieves hacking into TJX's US and UK computer systems.

In a filing with the Securities and Exchange Commission, TJX said that its systems were first infiltrated in July 2005, and that the unauthorised access continued over an 18-month period.

The filing said another 455,000 customers who returned merchandise without receipts, and so had to provide personal data such as driving license numbers, had these details stolen as well.

TJX first discovered that there was suspicious software on its system in December and revealed it suspected numbers had been stolen in January, but has only today provided details of the full extent of the theft. It said it still knows little about the full scope of the breach, in part because the hacker or hackers accessed TJX’s encryption software and could have known how to unscramble the information.

In addition, TJX deleted much of the transaction data in the normal course of business between the time of the breach and the time that TJX detected it, making it impossible to know how many total cards were affected.

TJX says its computer systems were first breached in July 2005 by a hacker or hackers who accessed information from customer transactions dating to January 2003.

Police charged six people in Florida last week with using credit card numbers that investigators believe were stolen from a TJX database to buy about $1 million in merchandise with gift cards. These numbers may have been bought from the original hackers.

TJX is facing an investigation by the Federal Trade Commission and lawsuits from individuals and banks accusing it of failing to do enough to safeguard private data and of delaying disclosure of the problem.

Times Recommends

• Minister in talks with Saudis to protect creditors
• Premier Inn hits back in £29-a-room row
• Bankers hit back at 'populist' bonus supertax