Dixons Carphone has said a huge data breach that took place last year involved 10 million customers, up from its original estimate of 1.2 million.
The Carphone Warehouse and Currys PC World owner has been investigating the hack since it was discovered in June.
It said personal information, names, addresses and email addresses may have been accessed last year.
However, no bank details were taken and it had found no evidence that fraud had resulted from the breach.
The hackers also got access to records of 5.9 million payments cards, but nearly all of those were protected by the chip and pin system.
Dixons said it was “very sorry for any distress” caused and it would be apologising to customers, although it did not say how or over what timescale it would be contacting them.
New security
Dixons said it had been working with leading cyber security experts and had put in further security measures to safeguard customer information.
The National Crime Agency began investigating the breach last month when it was first revealed. It is working with the National Cyber Security Centre, the Financial Conduct Authority and the UK’s data protection regulator, the Information Commissioner’s Office.
Dixons Carphone chief executive Alex Baldock, said: “Since our data security review uncovered last year’s breach, we’ve been working around the clock to put it right.
“That’s included closing off the unauthorised access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we’re updating on today.
“As a precaution, we’re now also contacting all our customers to apologise and advise on the steps they can take to protect themselves.”
Commenting on the news, Andy Norton, director of threat intelligence at Lastline said: Card Not Present Fraud cost the UK over 200 million pounds last year, and chip and pin security doesn’t help with this type of fraud. As with all estimates, they are given at a point in time. Upon further investigation Dixons found that the breach was 10 times more severe than they originally thought. They also state that as of today, there is no evidence to suggest fraud has arisen because of the breach. Unfortunately, given the accuracy of their previous statements, tomorrow may be a different story.