The U.K.'s data watchdog is investigating the hack of Carphone Warehouse in which data of , with security experts warning that criminals could use the information for further fraudulent activities.
The Information Commissioners Office (ICO) confirmed it has been made aware of the cyber breach and said it is "making enquiries".
Scant details have been given of the attack but Carphone Warehouse said that the systems of one of it divisions in the U.K. were breached by a "sophisticated cyberattack". The unit operates OneStopPhoneShop.com, e2save.com and Mobiles.co.uk and provides a number of services to iD Mobile, TalkTalk Mobile, Talk Mobile, and to certain customers of Carphone Warehouse.
The ICO has the power to fine a company up to £500,000 ($773,455) if it is found to be negligent in the handling of customer data.
The attack was found by Carphone Warehouse on Wednesday but only made public on Saturday, sparking outrage
While the company did not give an official response as to why there was a delay in notifying customers, cybersecurity researchers said it can take time to find out what has happened.
"If you discover a breach, what you will need to know is, what has happened, how many people are impacted and what data is impacted. If you go public without that, you don't look very incompetent," David Emm, senior security researcher at Kaspersky Lab, told CNBC by phone.
Carphone Warehouse also said that encrypted credit card details of up to 90,000 customers may have been accessed. The retailer said it took "immediate action" to secure the systems and is informing customers by email.
The firm also told people to keep an eye on suspicious activities in their bank accounts as well as monitor their credit rating, a process that does cost money. Many customers took to Twitter to criticize what they considered a lack of care from Carphone Warehouse.
While Carphone Warehouse said it has "seen no evidence" of information being sold or misused, experts warned that any information accessed by hackers could be used in future attacks.
For example, information such as dates-of-birth, email and home addresses could be used to build a picture of a person, who could then be targeted by hackers through tailor-made emails designed specifically for them but containing a malicious link.
On top of this, TalkTalk, one of the Carphone Warehouse divisions affected by the attack, admitted that some of the user passwords it stores may not have been encrypted, a move Emm called "concerning".
"The sort of data, if joined with other personal data, creates the possibility that this information could be used for other fraudulent activities such as getting access to other online accounts of a user," Emm said.