The company, which first gave notice of the operation in January, also estimates that the data of a further 451,000 consumers has been stolen when they returned goods without a receipt.
It is thought that computer hackers obtained the details over an 18-month period and have since used them to commit fraud which the company so far estimates at $5 million, with purchases recorded as far afield as the southern states of the US, the UK, Sweden and Hong Kong.
Commenting on the developments, Terrence Defranco, of computer security specialists Edentify, told Reuters: "In terms of the damage that's created, I would say this is very significant because of the sheer number [of people involved]"
Since news of the data capture broke, ten people have been arrested in Florida on suspicion of buying data that derived from the scam, although no further arrests have been made in relation to the case.
Shares in TJX have declined by ten per cent since the company's announcement.
The largest data theft prior to the TJX case was in 2005, when details contained on 40 million credit cards were captured from CardSytems Solutions.