The breach occurred as far back as mid-May 2006 but was only discovered in mid-December, said company spokeswoman Debra McConnell. The original statement from Framingham, Mass.-based TJX announcing the data compromise last week only mentioned the discovery of the breach in December and made no mention of when the breach actually happened.

McConnell said the decision not to mention when the breach happened did not represent an "inconsistency" in the company's public reporting of the incident. "We had said in our press release that we had discovered the breach in mid-December but we did not put in when it occurred," she said.

McConnell did not provide details on the scope of the breach but reiterated the company's earlier statement that credit and debit card information belonging to "a limited number" of individuals had been stolen from the compromised system. "And by 'limited' we mean substantially less than millions," she said.

Meanwhile, a Canadian law firm, the Merchant Law Group, filed a class-action lawsuit against Winners and HomeSense, two TJX-owned retailers in Canada whose customers were affected by the breach.

The lawsuit was filed in courts in six Canadian provinces and seeks "financial recovery on behalf of all individuals for whom personal information has been revealed," a statement posted on the company's Web site said.