Dixons Carphone says it has been the victim of an “unauthorised data access” in which millions of customer bank card details were targeted over the past 12 months.
The company believed there were attempts since last July – discovered over the past week – to compromise 5.9 million cards in one of its processing systems for Currys PC World and Dixons Travel stores.
It said there was currently no evidence of any fraudulent use of the information – with the vast majority of the cards having chip and pin protection.
However, it added that the company said it had notified card providers to 105,000 non-EU issued cards which did not have chip and pin technology so those customers could be immediately protected.
In addition, Dixons Carphone said 1.2 million personal data records were hacked.
It admitted non-financial personal data, such as names, addresses or email addresses, was accessed but it again insisted that it had seen no evidence of any fraud at this stage.
Related: Why email is so dangerous
The breach was currently being investigated by police, it said, while regulators had also been informed.
It is the second hack the company has been forced to admit publicly in the past three years after it was targeted in 2015.
The company’s shares lost 5% of their value when trading began on Wednesday morning shortly after the latest disclosure.
Chief executive Alex Baldock said: “We are extremely disappointed and sorry for any upset this may cause.
“The protection of our data has to be at the heart of our business, and we’ve fallen short here.
“We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.
“We are determined to put this right and are taking steps to do so; we promptly launched an investigation, engaged leading cyber security experts, added extra security measures to our systems and will be communicating directly with those affected.”
The hacking represents a baptism of fire for Mr Baldock, who took over after Seb James quit as chief executive in January to take the helm at Boots.
Dixons Carphone has issued a series of profit warnings since last summer amid tough trading for its mobile phone arm.
It has part-blamed a slowdown in upgrades to new handsets for financial woes which have forced the company to slim down its Carphone Warehouse operation.
The data breach could potentially leave the company open to a large fine.
The Information Commissioner’s Office (ICO) imposed penalties totalling £500,000 on TalkTalk for failings after it was hit by a major cyber attack in 2015 that exposed details on 150,000 customers.
An ICO spokesman said on Wednesday: “An incident involving Dixons Carphone has been reported to us and we are liaising with the National Cyber Security Centre, the Financial Conduct Authority and other relevant agencies to ascertain the details and impact on customers.
“Anyone concerned about lost data and how it may be used should follow the advice of Action Fraud.”
NOW SEE: A financial hacker shows the simple mistakes we make every day (Lovemoney)