Personal details of up to 2.4 million Carphone Warehouse customers may have been accessed in a cyber-attack, the mobile phone retailer says.
Up to 90,000 customers may also have had their encrypted credit card details accessed, it said in a statement.
While the "vast majority" of Carphone Warehouse customers are unaffected, the breach does concern some of the company's separately managed divisions.
The retailer's owner, Dixons Carphone, said it was very sorry for the attack.
The affected part of the company operates the OneStopPhoneShop.com, e2save.com and Mobiles.co.uk websites.
It also provides services to iD Mobile, TalkTalk Mobile, Talk Mobile and some Carphone Warehouse customers.
Sebastian James, chief executive of Dixons Carphone, said: "We are, of course, informing anyone that may have been affected, and have put in place additional security measures.
"We take the security of customer data extremely seriously, and we are very sorry that people have been affected by this attack on our systems."
Carphone Warehouse said it was informing all customers who may have been affected of the breach.
It will also advise affected individuals on how to reduce the risk of further consequences arising from the data leak.
The BBC's Joe Lynam says Carphone Warehouse first became aware of the problem on 5 August.
"In that time, 72 hours, they will say we need to find the depth of the breach, but let's say some people do have their cards compromised," he said.
"They will be livid that they weren't told straight away, so they could cancel those cards."
Talk Talk used to be owned by Carphone Warehouse but is a separate company - Carphone Warehouse now has contractual ties to it.
But 480,000 Talk Talk Mobile customers are affected by this breach.
Talk Talk later said on Twitter, external that a "very small number" of customer passwords accessed in the breach may not have been encrypted, but that the relevant online accounts had been blocked until those passwords are reset.
Carphone Warehouse took the affected websites down itself, to protect data once the problem was recognised.
Customer information for Currys and PC World - and the "vast majority" of Carphone Warehouse - is held on separate systems and was not accessed during the attack, the company added.