The privacy watchdog has been called into to investigate the theft of personal and banking details of up to 2.4 million people from Carphone Warehouse.
The Information Commissioner’s Office (ICO) said it was looking into the incident. It has powers to impose a fine of up to £500,000 on companies with inadequate data protection.
An ICO spokesman said Carphone, which detected a breach of its systems on Wednesday, had alerted watchdogs on Friday.
A spokesman for the Metropolitan Police, which hosts the national unit responsible for investigating serious cyber crime, said officers were aware of the incident but an investigation had not been opened because Carphone had not reported a crime.
Carphone made the incident public on Saturday, saying it had been the victom of a “a sophisticated cyber-attack”. The data taken concerns online customers of OneStopPhoneShop.com, e2save.com and Mobiles.co.uk, as well as iD Mobile, TalkTalk Mobile, Talk Mobile and Carphone Warehouse itself.
Up to 2.4 million names, addresses, dates of birth and bank details were stolen, as well as the encrypted credit card information of 90,000 customers.
The company came under fire yesterday after it admitted that some of the passwords stolen by the hackers may not have been encrypted, making it much easier for criminals to use the data for fraud. Although Carphone reset the passwords on its own systems, research shows that people often reuse passwords across multiple online retailers.
Carphone also defended itself against criticism over the delay of three days between detection of the breach and informing those affected. A spokesman said it had needed time to work out what had been stolen and how the systems were breached.
The retailer, part of Dixons Carphone, said it was contacting those affected via email. They were advised to change their online passwords and contact their bank to put their accounts on alert for suspicious activity.