"The recent TJX data breach demonstrates that Massachusetts citizens do not have all the necessary tools to protect themselves against identity theft or credit card fraud," Coakley said in her statement.

Although the attack began in May 2006, the breach was not discovered by TJX until mid-December. The company said it delayed disclosing the intrusion until January so it could contain the problem and meet confidentiality obligations to law enforcement agencies.

Fraudulent charges on stolen accounts have been reported in such far-flung places as Hong Kong and Sweden; TJX, however, has yet to confirm any direct impact. "TJX cannot address everything that others are reporting regarding the breach of our systems," the company said in an online FAQ on the break-in.

Coakley, who took office last month as Massachusetts' first female attorney general, added that her office would work with the state legislature on efforts to mitigate any repeat of the TJX breach. "There are several proposals pending, including those that would require notification of consumers when their data was stolen or released, or that would give consumers the right to place a security freeze on their credit reports," said Coakley.