Shares in Dixons Carphone fell more than three per cent this morning after it announced the launch of an investigation finding there had been "unauthorised access to certain data" held by the company.
The company said the probe was continuing, but it had found that there was an attempt to compromise 5.9m cards in one of the processing systems of Currys PC World and Dixons Travel stores.
The majority of these cards had chip and protection, according to the company, which said the data accessed did not contain pin codes, card verification values, nor any data enabling cardholder identification. But around 105,000 non-EU issued payment cards were compromised.
The company has notified the relevant card companies so they can take appropriate measures to safeguard customers, and said there was no evidence of fraud on these cards as a result of the incident.
Separately, the investigation has found that 1.2m records containing non-financial personal data - such as name, address and email - had been accessed.
Again, the company said there was no evidence that the information had left its systems, and it is in the process of contacting those whose personal data was accessed to apologise and give them guidance on any protective steps they should take.
Dixons Carphone said that action had been taken to close off the access, and there was no evidence to suggest it was continuing.
The company said it had informed the relevant authorities, including the Information Commissioner's Office, the Financial Conduct Authority, and the police.
Dixons Carphone chief executive, Alex Baldock, said:
We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business, and we’ve fallen short here.
We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.
We are determined to put this right and are taking steps to do so; we promptly launched an investigation, engaged leading cyber security experts, added extra security measures to our systems and will be communicating directly with those affected.
Mike van Dulken, head of research at Accendo Markets, said the breach "will do little to boost its reputation".
"More importantly perhaps, and awful timing with GDPR not even a month old, is the revelation that 1.2m records including names, addresses and emails have also been accessed," he said. "Again, no sign the info left Dixons’ systems but, at the end of the day, it was left at risk."