Framingham, Mass.-based TJX said an "unauthorized intruder" in mid-December and may have made off with the card data of customers in the U.S., Canada and Puerto Rico, as well as the U.K. and Ireland. TJX didn't disclose how many shoppers might have been affected by the breach, saying that the full extent of the data theft "is not yet known."

At least some of the stolen information appears to have been so-called Track 2 data taken from the magnetic stripes on the back of credit and debit cards, said Benson Bolling, assistant vice president of lending at the Alabama Credit Union in Tuscaloosa.

The credit union is recalling and replacing about 2,900 Visa debit and credit cards after having received multiple alerts last week from Visa U.S.A. Inc. about card information -- including Track 2 data -- being compromised in a retail breach. The alerts didn't identify the retailer involved in the breach, Bolling said.

Track 2 data includes account numbers, encrypted personal identification numbers and expiration dates, plus other information that card-issuing banks can include at their discretion. Retailers are forbidden from storing such information under the Payment Card Industry (PCI) Data Security Standard being pushed by Visa, MasterCard International Inc. and other credit card companies. But many retailers continue to do so, often because their point-of-sale systems capture and store the data by default.

Further protections