In a statement to the US SEC (Securities and Exchange Commission), the company which owes UK clothing outlet TKMaxx - TJX - revealed that hackers have stolen information from at least 45.7 million customer payment cards.
TKMaxx said it didn't know the full extent of the theft, and that it could involve TKMaxx customers in the UK and Ireland. At least three-quarters of the affected cards had expired or data had been masked. The data covers transactions made by credit- and debit-cards from December 2002 onwards.
A further 455,000 customers who returned merchandise without receipts had personal data stolen - including driver's licence numbers.
TKMaxx told the BBC that the theft occured after 100 files were moved from its UK computer system in 2003. Two files were later stolen, but the firm may never know what was in those files.
The company discovered the problem three months ago, but admitted that in many ways it remains in the dark about the attack. TKMaxx warned that many of its operations could be affected.
Ben Cammarata, TJX chairman and acting chief executive said: "We are deeply concerned about this event and the difficulties it may cause our customers."