Detailing the sheer magnitude of a crime first reported earlier this year, TJX yesterday disclosed in financial reports that at least 45.6 million credit and debit card numbers were stolen in 2005 and another 130,000 last year by hackers who have yet to be caught.

According to Gartner security expert Avivah Litan, the volume of stolen data gives TJX the dubious distinction of being the biggest known victim of hacker-based card fraud in history.

“This is the biggest card heist we’ve heard of so far,” said Litan, an expert in e-commerce-related security.

TJX, which has 125,000 employees and operates hundreds of T.J. Maxx and other stores in the United States and the United Kingdom, did not immediately return a call for comment about the investigation. Earlier this year TJX publicly stated it had contacted law enforcement in December 2006 when it “learned of suspicious software” within its computer systems.

According to the Securities and Exchange Commission filing, since last December TJX has been working with the Department of Justice, the Secret Service, and the U.S. Attorney in the Boston office in a criminal investigation to nab the intruders. TJX also is supplying information to the California attorney general’s office, the Canadian Provincial Privacy Commissioners, and the U.K. Information Commissioner, as well as to the London metropolitan police.

Although Florida law enforcement has identified four suspects who may be part of the case, Litan said her “educated guess” is that the trail will lead to organized crime rings in Eastern Europe.

“Organized crime rings farm out a substantial part of the work, such as the counterfeiting, usually to crack addicts,” she noted.

Litan said her sources view the TJX data-theft case as a targeted attack by hackers who broke in through unprotected wireless LANs, and made their way through the TJX network to the controllers to set up operations inside the TJX network to capture card data. “They basically used a program to just capture the data,” Litan said, noting this was “educated conjecture.”

In the SEC filing, TJX suggests hackers were tampering with customer data.

TJX states that before the computer intrusion was discovered, the company may have inadvertently deleted “in the ordinary course of business the contents of many files that we now believe were stolen. In addition, the technology used by the Intruder has, to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006.”