If you've shopped at TJ Maxx, Marshalls or several other off-price stores in the last few years, the Pennsylvania Attorney General's office is urging you to monitor your credit card and bank statements for fraudulent activity.

The warning comes in the wake of last week's announcement by the stores' parent company, TJX Cos., that customer data, including credit card and debit card numbers, had been stolen by computer hackers.

In a letter posted on its Web site, TJX said it was trying to determine the number of affected customers. Experts estimated it would be in the tens of millions.

Under a new state law that took effect in June, businesses are required to notify Pennsylvania consumers by letter, telephone or e-mail if sensitive personal data is lost or stolen, exposing them to the risk of identity theft. But the AG's office, which enforces the statute, said yesterday that personal notice is not required if more than 175,000 consumers are involved or if the cost of notification would exceed $100,000.

In that case, companies may disclose the security breach with notices on their Web sites and by notifying major statewide media.

"It appears from what we can tell, TJX abided by the [new state] law," spokesman Kevin Harley said yesterday.

The company, which said the breach also affected check and merchandise return transactions, established a toll-free hot line to answer consumer questions at 1-866-484-6978. It also posted advice on its Web site about checking credit reports.

The AG's office reminded consumers that they are entitled to a free annual copy of their credit report from each of the three main credit bureaus by calling a central toll-free number, 1-877-322-8228. Reports also can be ordered online at www.annualcreditreport.com.

TJX, which also operates HomeGoods, A.J. Wright and Bob's Stores in the United States, said it believes the breach happened in May 2006 but also involved data dating back to 2003. It said it discovered the breach in mid-December but waited until last week to disclose it at the request of law enforcement.

On its Web site, TJX said it has beefed up security of its computer systems and has been working with major credit card companies, including American Express, Discover, MasterCard and Visa, and other entities that process its customer transactions to identify compromised accounts.

TJX "strongly recommends" that customers review account statements and notify their credit or debit card company or bank if they suspect fraud. Major card issuers emphasized that customers are not liable for fraudulent transactions.

TJX has declined to comment on whether it had been in compliance with credit card company rules that prohibit retailers from retaining certain customer data after a transaction is processed.

Some credit unions and small banks have been reissuing customers' credit and debit cards as a precaution.

The state's largest bank, Pittsburgh-based PNC Bank, said yesterday it was closely monitoring the situation.

"We have not identified any fraudulent activity related to that breach on our customer accounts," spokeswoman Darcel Kimble said in an e-mail.

National City Bank issued a statement saying it was working with Visa to determine any potential impact of the breach and "will notify customers directly if there is any need for action for their protection."