In its filing to the Securities and Exchange Commission (SEC) the group said it believed "the intruder had access to the decryption tool for the encryption software utilized by TJX".
If these card numbers were in fact stolen from the Playstation Network, it may be that the encryption Sony says it used was weak, badly implemented, or that the decryption key was included in the stolen data.