TJX Co., the parent company of T.J. Maxx and other retailers, on Wednesday dropped a bombshell in its ongoing investigation of a customer data breach by announcing in a Securities and Exchange Commission filing that more than 45 million credit and debit card numbers have been stolen from its IT systems. Information contained in the filing reveals a company that had taken some measures over the past few years to protect customer data through obfuscation and encryption. But TJX didn't apply these policies uniformly across its IT systems and as a result still has no idea of the extent of the damage caused by the data breach.

As a result, TJX is a company under siege. The company recorded a fourth-quarter charge of about $5 million to cover the costs of containing and investigating the breach, as well as improving the security of its IT systems, communicating with customers, and paying legal fee. The U.S. Federal Trade Commission has launched an investigation of TJX. While the FTC wouldn't reveal the nature of the investigation or when it began, it's likely the result of the data breach. And lawsuits have begun to fly, including one by the Arkansas Carpenters Pension Fund, which owns 4,500 shares of TJX stock.

The intrusion into TJX's IT systems also hands the retailer the dubious honor of surpassing the 40 million stolen customers record mark, something that only CardSystems had been able to achieve. And it puts to shame the Veterans Affairs Department, which last year briefly lost track of more than 26 million records thanks to a stolen employee laptop.

The effects of the stolen TJX data, not to mention the underground cybercriminal economy that trades in customer data, already are being felt. General Dynamics, IBM, TJX, and the various law enforcement entities investigating the cyberattack still don't know who took the customer information, but it's clear where some of that information ended up. Data stolen from TJX recently surfaced at Wal-Mart stores in Florida, where it's been used to help thieves steal about $8 million in merchandise from Wal-Mart stores. The thieves used the stolen TJX customer data to create dummy credit cards for purchasing Wal-Mart and Sam's Club gift cards, and then used those to hit stores in 50 of Florida's 67 counties.

TJX claims it also doesn't know "whether there was one continuing intrusion or multiple, separate intrusions," according to the SEC filing. What the company does know is that on Dec. 18, it learned of suspicious software on its computer systems. By Dec. 21, "there was strong reason to believe that our computer systems had been intruded upon and that an intruder remained on our computer systems," the filing says. Given that the intruder was still operating, U.S. Secret Service advised TJX officials that disclosure of the suspected intrusion might impede their criminal investigation and requested that the company keep a lid on the incident until law enforcement gave them the green light to announce the breach.

The company disclosed the breach on Jan. 17, only to later find that that the intrusion may have been initiated earlier than it had originally reported and that additional customer information potentially had been stolen. Based on the investigation to date, it's believed that TJX's computer systems were first accessed by an unauthorized intruder in July 2005, on subsequent dates in 2005, and from mid-May 2006 to mid-January 2007, but that no customer data were stolen after Dec. 18.