Dixons Carphone says it has been the victim of an “unauthorised data access” in which millions of customer bank card details were targeted over the past 12 months.
The company believed there were attempts since last July – only discovered over the past week – to compromise 5.9 million cards in one of its processing systems for Currys PC World and Dixons Travel stores.
It said there was currently no evidence of any fraudulent use of the information – with the vast majority of the cards having chip and pin protection.
However, Dixons Carphone said it had notified card providers to 105,000 non-EU issued cards that did not have chip and pin technology so those customers could be immediately protected.
In addition, Dixons Carphone said 1.2 million personal data records were hacked.
Image: Inside a Currys PC World store
It admitted non-financial personal data, such as names, addresses or email addresses, was accessed but it again insisted that it had seen no evidence of any fraud at this stage.
The breach was currently being investigated by police, it said, while regulators had also been informed.
It is the second hack the company has been forced to admit publicly in the past three years after it was targeted in 2015.
The company’s shares lost 5% of their value when trading began on Wednesday morning shortly after the latest disclosure.
Chief executive Alex Baldock said: “We are extremely disappointed and sorry for any upset this may cause.
“The protection of our data has to be at the heart of our business, and we’ve fallen short here.
“We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.
Image: More than 90 Carphone Warehouse stores are due to close though staff are being redeployed
“We are determined to put this right and are taking steps to do so; we promptly launched an investigation, engaged leading cyber security experts, added extra security measures to our systems and will be communicating directly with those affected.”
The hacking represents a baptism of fire for Mr Baldock, who took over after Seb James quit as chief executive in January to take the helm at Boots.
Dixons Carphone has issued a series of profit warnings since last summer amid tough trading for its mobile phone arm.
It has part-blamed a slowdown in upgrades to new handsets for financial woes which have forced the company to slim down its Carphone Warehouse operation.
The data breach could potentially leave the company open to a large fine.
The Information Commissioner’s Office (ICO) imposed penalties totalling £500,000 on TalkTalk for failings after it was hit by a major cyber attack in 2015 that exposed details on 150,000 customers.
Image: Dixons Carphone endured a data breach in 2015
An ICO spokesman said on Wednesday: “An incident involving Dixons Carphone has been reported to us and we are liaising with the National Cyber Security Centre, the Financial Conduct Authority and other relevant agencies to ascertain the details and impact on customers.
“Anyone concerned about lost data and how it may be used should follow the advice of Action Fraud.”
Alex Neill, managing director of home products and services at the consumer group Which?, said: “This massive breach will cause real worry to millions of customers and raises serious questions about how Dixons Carphone has been looking after customers’ data – so it is critical that the company moves quickly to ensure those affected get clear information about what has happened and what steps they should take to protect themselves.
“Data breaches are becoming more and more common, but consumers lack the powers they need to ensure companies are held to account.
More from Business
“That is why the Government should give independent bodies the power to seek collective redress on behalf of affected customers when a company has failed to meet its data protection obligations.
“Anyone concerned they could be at risk of fraud should consider changing their online passwords, monitor bank and other online accounts and be wary of emails regarding the breach as scammers may try and take advantage of it.”