Two months ago, retailer TJX, owner and operator of 2,500 stores in the United States, revealed that hackers who accessed the company’s customer information stole data from at least 45.7 million credit and debit cards. According to the Associated Press, at the time, the company said that about three-quarters of those cards had either expired at the time of the theft, or data from their magnetic strips had been hidden — stored as asterisks rather than numbers.

However, TJX says that it still knows little about the full scope of the breach. The hacker or hackers accessed TJX’s encryption software and may have been able to unscramble the information. “There is a lot of information we don’t know, and may never be able to know, which is why this investigation has been so laborious,” TJX spokeswoman Sherry Lang says.

Here is a recap of the investigation to date:
• The company’s computer systems were first breached in July 2005 by a hacker or hackers who accessed information from customer transactions dating to January 2003. TJX was unaware of the breach until about three months ago.
• Information from 45.7 million cards was stolen from transactions beginning in January 2003 and ending Nov. 23 of that year. The company did not provide estimates of the number of cards from which information was stolen for transactions occurring from Nov. 24, 2003 to June 28, 2004.
• The intruder may have had access to the decryption tool for the encryption software utilized by TJX.
• Police charged six people in Florida last week with using credit card numbers that investigators believe were stolen from a TJX database to buy about $1 million in merchandise with gift cards.
The filing gives the first detailed account of the breach initially disclosed TJX, the owner of T.J. Maxx, Marshall’s and other stores in North America and the United Kingdom.