It seems the TJ Maxx family of stores were storing customer card transaction information dating back to 2003. Now the credit card companies are going to fine the credit card clearing banks for not making certain the merchants whose transactions they cleared are following security rules.
http://www.informationweek.com/news/showArticle.jhtml;jsessionid=YOL30SJSOWHAYQSNDLRCK H0CJUNN2JVN?articleID=197001447

Merchants like TJX aren't supposed to store cardholder data because a thief can use that information to create a counterfeit credit or debit card using discarded gift card stock, says an executive at a California credit union that issues Visa cards to its members. "I can see storing data for a few hours or a day until transactions clear, but some of the stolen data goes back to 2003," he adds. "That's a long time to be out of compliance."

I think this company is going to get skinned alive - and deservedly so.
There is no reason to store card info like that - the security implications are frightening.

And now an update, the information stolen from TJ Maxx stores is being used in Florida to steal $8 million in merchandise from WalMart:
http://www.informationweek.com/news/showArticle.jhtml;jsessionid=4RVV1GQ4CE4SYQSNDLOSK HSCJUNN2JVN?articleID=198100636

The scam involves making $400 gift cards.

If I were WalMart's insurers, I would be looking at billing TJ Maxx for the $8 million about now.

Another update: the financial damage from TJ Maxx's data theft may be $4.5 Billion.
http://www.informationweek.com/news/showArticle.jhtml;jsessionid=4OXEAPVILMO42QSNDLPCK H0CJUNN2JVN?articleID=199203277

Also Cincinnati-based FifthThird Bank who processed most of the TJ Maxx transactions and who was supposed enforce data security rules set up by the credit card companies is selling their credit card business to Bank of America in the next several months.

my Citibank Shell MasterCard was automatically canceled, I got an automated voicemessage from the "fraud department" saying to call them immediately... I thought something happened, but it was a preventative measure from the TJ Max thing, I must have shopped there before... What a pain. All the consumers should get an additional $100 per card number lost as well.

I just came across this update on the TJ Max breach:
http://www.informationweek.com/news/showArticle.jhtml;jsessionid=1ASGMGLZUSBMAQSNDLRCK H0CJUNN2JVN?articleID=201400171

Poorly secured in-store computer kiosks are at least partly to blame for acting as gateways to the company's IT systems, InformationWeek has learned. According to a source familiar with the investigation who requested anonymity, the kiosks, located in many of TJX's retail stores, let people apply for jobs electronically but also allowed direct access to the company's network, as they weren't protected by firewalls. "The people who started the breach opened up the back of those terminals and used USB drives to load software onto those terminals," says the source. In a March filing with the Securities and Exchange Commission,TJX acknowledged finding "suspicious software" on its computer systems.

They got more than just job applicants.
They also had some WiFi security issues as well.
In May, The Wall Street Journal cited a separate entry point, reporting that data thieves had accessed an improperly secured Wi-Fi network from the parking lot of a Marshall's store in St. Paul, Minn. The thieves reportedly used a wireless data poaching tactic called "wardriving" and exploited the deficiencies of the aging Wired Equivalent Privacy wireless security protocol.
also
The company says the stolen data includes account information for about 45.7 million separate payment cards, though TJX claims that 75% of those cards were either expired at the time of the theft or the stolen information didn't include the security code data from the magnetic stripe on the cards. The company thinks that driver's license numbers, military IDs, and state IDs for 455,000 customers, together with their names and addresses, also were stolen.

I just came across this update on the TJ Max breach:
http://www.informationweek.com/news/showArticle.jhtml;jsessionid=1ASGMGLZUSBMAQSNDLRCK H0CJUNN2JVN?articleID=201400171
The thieves reportedly used a wireless data poaching tactic called "wardriving" and exploited the deficiencies of the aging Wired Equivalent Privacy wireless security protocol.

Someone in their IT department needs a new job flipping burgers.

/bangs head on desk...

...not really, it should be making license plates (prison).