The Massachusetts Bankers Association (MBA) said that as of last Wednesday, card numbers taken from TJX's systems had been used to make fraudulent purchases in Georgia, Florida and Louisiana, as well as in Hong Kong and Sweden.

Both MasterCard International Inc. and Visa U.S.A. Inc. declined to comment on the MBA's claims about fraudulent uses of card numbers. TJX officials didn't respond to requests for comments about the reported misuse of card data.

In addition, the MBA said it is "strongly" pushing for state legislation that would require credit card firms to quickly disclose the source of a retail data breach. MasterCard, Visa and other card companies typically don't divulge that information to card-issuing banks when notifying them of security incidents.

Daniel Forte, the MBA's CEO, said in a statement that the credit card companies also should hold the source of a breach financially liable -- especially if the retailer was storing card data in violation of the Payment Card Industry (PCI) Data Security Standard.

TJX hasn't disclosed what information was compromised. But according to the MBA and other financial industry sources, the retailer appears to have been storing account numbers, expiration dates and other so-called Track 2 data taken from the magnetic stripe on the back of cards. Keeping such data is forbidden under PCI.