Carphone Warehouse in customer data breach
Personal details of up to 2.4 million Carphone Warehouse customers may have been accessed in a cyber-attack, the mobile phone retailer says.
Up to 90,000 customers may also have had their encrypted credit card details accessed, it said in a statement.
While the "vast majority" of Carphone Warehouse customers are unaffected, the breach does concern some of the company's separately managed divisions.
The retailer's owner, Dixons Carphone, said it was very sorry for the attack.
The affected part of the company operates the OneStopPhoneShop.com, e2save.com and Mobiles.co.uk websites.
It also provides services to iD Mobile, TalkTalk Mobile, Talk Mobile and some Carphone Warehouse customers.
Sebastian James, chief executive of Dixons Carphone, said: "We are, of course, informing anyone that may have been affected, and have put in place additional security measures.
"We take the security of customer data extremely seriously, and we are very sorry that people have been affected by this attack on our systems."
Carphone Warehouse said it was informing all customers who may have been affected of the breach.
It will also advise affected individuals on how to reduce the risk of further consequences arising from the data leak.
What can those affected do?
- Notify your bank and credit card company, so they can monitor activity on your account
- Change your password for your online account
- Check your account for any suspicious or unexpected activity
- Be wary of anyone calling asking for personal information, bank details or passwords
- Visit Experian, Equifax or Noddle to check your credit rating to make sure no one has applied for credit in your name
Those who think they have been the victim of fraud should contact Action Fraud on 0300 123 2040.
Craig Gee-Clough, from Bolton, told the BBC he has been contacted by mobiles.co.uk about the breach via letter.
"I can't contact the bank until after the weekend so am worried about what offences can be committed. Fraudsters can do anything with that information."
He said he is also unhappy about now having to pay to check his credit files.
The company's investigation found that the data could have included names, addresses, dates of birth and bank details.
A Carphone Warehouse spokesman said the attack was stopped "straight away" after it was discovered on Wednesday afternoon.
He also said the breach was likely to have occurred at some point "within the last two weeks before Wednesday afternoon".
The BBC's Joe Lynam says Carphone Warehouse first became aware of the problem on 5 August.
"In that time, 72 hours, they will say we need to find the depth of the breach, but let's say some people do have their cards compromised," he said.
"They will be livid that they weren't told straight away, so they could cancel those cards."
Talk Talk used to be owned by Carphone Warehouse but is a separate company - Carphone Warehouse now has contractual ties to it.
But 480,000 Talk Talk Mobile customers are affected by this breach.
Talk Talk later said on Twitter that a "very small number" of customer passwords accessed in the breach may not have been encrypted, but that the relevant online accounts had been blocked until those passwords are reset.
Carphone Warehouse took the affected websites down itself, to protect data once the problem was recognised.
Customer information for Currys and PC World - and the "vast majority" of Carphone Warehouse - is held on separate systems and was not accessed during the attack, the company added.
Previous data breaches
- In February Talk Talk announced that some account numbers and names had been stolen from the company's computers and were being used by scammers
- On 20 July, hackers claimed to have stolen information about the 37 million accounts registered on the Ashley Madison website, which helps married people plan affairs
- In January 2013 Sony Computer Entertainment Europe was fined £250,000 for a "serious breach" of the Data Protection Act, over a hack in April 2011 which UK authorities said "could have been prevented"
The Information Commissioner's Office, which is the regulator in the area of personal data, can impose fines of up to £500,000 if a company is found to have not done enough to protect its customers' personal information.
Dixons Carphone was formed last year by the merger of Carphone Warehouse and Dixons Retail.
In July it reported a 21% jump in profits in its first annual results since the merger that created the mobile phone and electrical goods firm.
In the UK and Ireland, where it trades under the Carphone Warehouse, Currys and PC World names, sales rose by 8%.