According to the SEC report, the company's systems were first attacked by outsiders during July 2005, and then repeatedly targeted until Dec. 2006, when TJX officials said they first became aware of the breach.

Once investigators were called in at that time they determined the intruders were still present on the company's computing systems, and began monitoring the attack, which finally concluded in January 2007.

One of the incidents that may have led to the firm's discovery of the breach was reports sent to TJX in November 2006 by law enforcement officials in Florida who had uncovered a ring of thieves using credit card stolen from the retailer to carry out fraudulent transactions. Six people have been jailed in connection to those crimes, and another four people currently are wanted by the Florida Department of Law Enforcement.

The company offered a number of new details about the types of data that were stolen via the intrusions.

TJX claims that one of the problems it has encountered during its investigation is that the information that thieves were lifting from its payment processing systems was also being routinely deleted by the company as part of its storage security practices.

"We have been able to identify only some of the information that we believe was stolen; prior to discovery of the computer intrusion, we deleted in the ordinary course of business the contents of many files that we now believe were stolen," the company said.   "In addition, the technology used by the intruder has, to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006."

The firm reported that customer's credit and debit card personal identification numbers (PINs) were likely not compromised because that information was encrypted at the point-of-sale before being stored on the Framingham systems and was not retained in the Watford systems. Customers' names and addresses were not stored on the Framingham system in connection with payment card or check transactions, the firm said.

Debit card information used by customers in the Canada stores was also not compromised, according to the report.

The firm said it stopped the practice of storing so-called Track 2 data taken from the magnetic stripes on payment cards after Sept. 2003, and that it had implemented masking tools to obscure PIN information and other payment card and check information in early 2006.

In its 10-K filing, TJX reported it has already spent roughly $5 million on recovery efforts related to the attack and indicated it may continue to pay for the incident, in particular through lawsuits. On March 21, one of the company's shareholders, the Arkansas Carpenters Pension Fund, announced a suit against   TJX for failing to provide more details about the intrusion.