Angry Carphone Warehouse customers have vented their frustration after it was revealed the personal details of up to 2.4 million people may have been stolen when a division of the company was hit by a cyber attack.
The mobile phone retailer has warned the encrypted credit card information of up to 90,000 people may have been accessed during the attack.
An investigation carried out by the company found that names, addresses, dates of birth and bank details of customers could also have been accessed.
Carphone Warehouse said the “sophisticated cyber attack” was stopped “straight away” after its own systems discovered it on Wednesday afternoon.
Asked when the data breach began, a spokesman replied: “The evidence indicates within the last two weeks (before Wednesday).”
Additional security measures have been put in place, he said.
But many customers have said they should have been told sooner about the incident.
Sarah Roberts (@sarahroberts63) tweeted: “We get told now? Loyal customer just as it’s being aired?? NOT HAPPY”.
Another user, @tenkodragon, wrote: “Really £annoyed and £disappointed that I learned about £CarphoneWarehouse customer details hack via news; no contact from company”.
Menna Flavell added: “How timely of carphone warehouse to delay announcement of hacking to weekend when banking services are most difficult to contact.”
A spokesman for the Information Commissioner’s Office, which examines data breaches, said: “We have been made aware of an incident at Carphone Warehouse and are making inquiries.”
Technology expert Tom Cheesewright said the firm may have been trying to assess the level of damage before making the announcement.
He told BBC Breakfast: “The question is how much they knew, and when did they know? Did they know what had been breached, what had been lost?
“Do you risk if you announce early that you terrify people and actually the breach has been minimal, or do you do the forensics first, dig down through the systems, work out what has gone and then announce things once you’re more sure?
“I don’t think we’ll know until the Information Commissioner’s Office looks at this whether they did the right thing, whether they were prudent in waiting a few days.”
He added that one set of credit card details might be sold for £5 or £10, and possibly twice that for a full identity.
Sebastian James, group chief executive of Dixons Carphone, apologised for the incident.
He said: “We take the security of customer data extremely seriously, and we are very sorry that people have been affected by this attack on our systems.
“We are, of course, informing anyone that may have been affected, and have put in place additional security measures.”
The affected division of Carphone Warehouse operates the websites OneStopPhoneShop.com, e2save.com and Mobiles.co.uk and provides services to iD Mobile, TalkTalk Mobile, Talk Mobile and some Carphone Warehouse customers.
Carphone Warehouse said it was contacting all customers who may have been affected to inform them of the breach and to advise them on how to reduce the risk of further consequences.
A TalkTalk spokesman said its mobile sales site, mobile .talktalk.co.uk, was a victim of the attack.
“We took the site down immediately and are carrying out thorough security checks before they restore it,” he said.
“However, we understand that the personal data of our mobile customers may have been accessed during the attack.
“We are working with Carphone Warehouse to establish exactly what has happened and how many customers have been affected, but as a precaution we are contacting all affected customers today to let them know what has happened and what steps they should take as a result.
“We take the security of all customer data extremely seriously and whilst we work with Carphone Warehouse to investigate this incident and establish the extent of the attack, customers are advised to look out for any suspicious online or account activity.”
Tony Neate, chief executive of Government-backed web security initiative Get Safe Online, advised affected customers to change their passwords to “something unpredictable and different for every account”, as stolen data could help hackers gain access.
He added: “Carphone Warehouse is said to be getting in touch with customers who need to notify their bank and credit card company, but don’t be fooled by emails or phone calls pretending to be them.
“There will always be more cyber criminals looking to exploit the situation and trick you into sharing information a legitimate company would never ask for.”
There have been a number of high profile online attacks and viruses, including the Heartbleed vulnerability, first detected in April last year, that left millions of websites open to attack and led to the hacking of sites including Yahoo and Mumsnet.