Retailer Dixons Carphone has admitted a serious data breach stretching back nearly a year involving 5.9 million payment cards and 1.2 million personal data records.
While it said there was no evidence of fraudulent use of the data, it said it was investigating the hacking attempt, which began in July 2017.
An “attempt to compromise” was made on 5.9 million credit and debit cards, but 5.8 million of those are chip and pin protected. Despite that, approximately 105,000 are not protected and have been leaked, it said.
It added the hackers had targeted one of the processing systems of Currys PC World and Dixons Travel stores.
Separately, Dixons Carphone said its investigation also found that 1.2m records containing non-financial personal data, such as name, address or email address, were accessed. It added that there is “no evidence that this information has left our systems or has resulted in any fraud at this stage”.
“We are contacting those whose non-financial personal data was accessed to inform them, to apologise, and to give them advice on any protective steps they should take,” its statement said.
Dixons Carphone chief executive Alex Baldock said: “The protection of our data has to be at the heart of our business, and we’ve fallen short here. We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.
“We are determined to put this right and are taking steps to do so; we promptly launched an investigation, engaged leading cyber security experts, added extra security measures to our systems and will be communicating directly with those affected.”
An Information Commissioners Office spokesperson said: “An incident involving Dixons Carphone has been reported to us and we are liaising with the National Cyber Security Centre, the Financial Conduct Authority (FCA) and other relevant agencies to ascertain the details and impact on customers.
"Anyone concerned about lost data and how it may be used should follow the advice of Action Fraud.”