The owner of Dixons and Carphone Warehouse today revealed hackers grabbed the details of 5.9million customers cards and 1.2million personal records.
The hacking represents a further blow to the company following a series of profit warnings since last summer amid tough trading for its mobile phone arm.
While the breach took place last July, Dixons Carphone only realised that it had occurred in the last week and the notification delay of nearly a year was not a case of the firm covering up the fact, allegedly.
The retailer added that 5.8 million of the compromised cards are protected by chip and pin number combinations.
They added: 'Separately, our investigation has also found that 1.2m records containing non-financial personal data, such as name, address or email address, have been accessed.More news: ‘More concerned about Karnataka’s fitness’: Kumaraswamy to PM’s fitness challenge
More news: Primary Results: Trump’s Hold on the GOP Is Showing
More news: How to dress like Meghan Markle this summer
But the company claims there's still no evidence of fraud, or even that this data left its system. "The protection of our data has to be at the heart of our business, and we've fallen short here", he added. "We've taken action to close off this unauthorised access and though we have now no evidence of fraud as a result of these incidents, we are taking this extremely seriously", the CEO said. "We have no evidence to date of any fraudulent use of the data as result of these incidents".
However, it was quick to add that 5.8 million of these cards had chip and PIN protection, and that the data stolen did not include pin codes, card verification values (CVV) or authentication data - making it more hard for the hackers to monetize the breached data.
The remaining 105,000 cards are a non-EU issue and these will be vulnerable to fraud.
Because the data breach dates back to a year ago it will be dealt with by the ICO under the powers of the Data Protection Act 1998 and not the European Union General Data Protection Regulation (GDPR) which went into effect on May 25. It has informed police, regulators at the Information Commissioner's Office and the Financial Conduct Authority.
Others compared the Dixons Carphone breach to the compromise of USA retailer Target in arguing lessons have not been learned. It said since the 2015 attack it had worked extensively with cyber security experts to upgrade its security systems.