Company officials said that in addition to the IT systems break-ins TJX detailed in January 2007 -- which occurred during 2003 and between May and December 2006 -- it now believes that intruders also infiltrated its databases repeatedly during 2005.

TJX offered no further details regarding the nature or volume of the information that was accessed by outsiders during the newly reported intrusions, and said that the firm only recently discovered the additional incidents, which started in July 2005 and continued over a period of time that the company classified only as "subsequent dates," in a statement.

The fact that TJX -- which has already been publicly chided by MasterCard International, among others, for failing to meet established data security standards -- is still unraveling the exact details of the attack serves as testament to the notion that ill-prepared businesses will struggle just to understand how and when they've been penetrated, experts said.

"The scary thing is that we are learning that this type of situation is not uncommon. It's like someone broke into your house by picking the lock and only took items you wouldn't notice were missing," said Richard Mogull, an analyst with Gartner, in Stamford, Conn.

"Companies such as retailers are collecting tons of information and not securing it properly, and if they don't have sufficient monitoring technology in place, which most firms do not, it's surprising that they can figure out what has happened at all," he said.