Dixons Carphone has said a huge data breach that took place last year involved 10 million customers, up from its original estimate of 1.2 million.
The Carphone Warehouse and Currys PC World owner has been investigating the hack since it was discovered in June.
It said personal information, names, addresses and email addresses may have been accessed last year.
However, no bank details were taken and it had found no evidence that fraud had resulted from the breach.
The hackers also got access to records of 5.9 million payments cards, but nearly all of those were protected by the chip and pin system.
Dixons said it was “very sorry for any distress” caused and it would be apologizing to customers, although it did not say how or over what timescale it would be contacting them.
Alex Neill, from consumer lobby group Which?, said: “Dixons Carphone customers will be alarmed to hear about this massive data breach and will be asking why it has taken so long for the company to uncover the extent of its security failure.
“It is now critical that the company moves quickly to ensure those affected get clear information about what has happened and what steps they should take to protect themselves.
“Anyone concerned they could be at risk of fraud should consider changing their online passwords, monitor bank, and other online accounts and be wary of emails regarding the breach as scammers may try and take advantage of it.”
On the face of it, this is terrible news for Dixons Carphone and its customers – it’s as if a householder who discovered in June that burglars had stolen the telly has belatedly looked in the garage and found that the car has gone too.
But remember, the really shocking thing about the first announcement last month was that details of 5.9 million payment cards had been accessed – it’s not that number which has gone up tenfold but the separate and less serious total of non-financial personal records hacked.
Now that still leaves many more people at the theoretical risk of phishing attacks and it’s another stain on the company’s reputation.
But whereas Dixons Carphone shares fell after the news in June, they’ve risen slightly this morning. Investors have had so much bad news lately about the last electronics retailer left standing on the High Street that they seem able to shrug off something which may not have a huge effect on the bottom line.
Dixons said it had been working with leading cybersecurity experts and had put in further security measures to safeguard customer information.
The National Crime Agency began investigating the breach last month when it was first revealed. It is working with the National Cyber Security Centre, the Financial Conduct Authority and the UK’s data protection regulator, the Information Commissioner’s Office (ICO).
An ICO spokesperson said: “Our investigation into the incident is ongoing and we will take the time to assess this new information.
“In the meantime, we would expect the company to alert all those affected in the UK as soon as possible and to take all steps necessary to reduce any potential harm to consumers.”
Dixons Carphone chief executive Alex Baldock said: “Since our data security review uncovered last year’s breach, we’ve been working around the clock to put it right.
“That’s included closing off the unauthorized access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we’re updating on today.
“As a precaution, we’re now also contacting all our customers to apologize and advise on the steps they can take to protect themselves.”