Ten million people were affected by Dixons Carphone's data breach last year, the firm admitted today - far more than the 1.2 million it initially reported last month, IT PRO writes.
The retailer also revealed that it's now found evidence that some of this data may have left its systems when it was hacked in 2017, meaning people's personal records - including names, addresses and email addresses - could be in the hands of hackers.
While Dixons Carphone ruled out the possibility of card or bank details being included in those leaked records, it said it is contacting affected customers to reduce the risk of fraud, with hackers able to use their personal details in phishing attacks.
"We're disappointed in having fallen short here, and very sorry for any distress we've caused our customers," said chief executive Alex Baldock in today's update. "I want to assure them that we remain fully committed to making their personal data safe with us."
The CEO outlined some of the measures the retailer has taken since it discovered the 2017 breach in June this year, including closing off unauthorised access, adding new security measures and an investigation that's led to today's discovery of how many records were affected in the breach.
"Since our data security review uncovered last year's breach, we've been working around the clock to put it right," Baldock said.
Separate to the leaked data records, the breach also saw hackers try to compromise 5.9 million credit and debit cards. When it first warned of the breach last month, Dixons Carphone said only 105,000 of these cards were at risk because they were not chip-and-pin, and that it had notified the card companies.
UK data watchdog the Information Commissioner's Office (ICO) is already investigating the Dixons Carphone breach, though it is not yet clear whether it is looking at it under the Data Protection Act 1998 - active when the breach occurred - or the Data Protection Act 2018, active when Dixons Carphone discovered the hack, and which carries fines of up to £17 million.
An ICO spokesperson said: "Dixons Carphone reported a data breach to the ICO in June. The company has now confirmed that the incident affected 10 million records, which is significantly higher than initially stated.
"Our investigation into the incident is ongoing and we will take time to assess this new information. In the meantime, we would expect the company to alert all those affected in the UK as soon as possible and to take all steps necessary to reduce any potential harm to consumers."
The ICO has previously issued Dixons Carphone subsidiary Carphone Warehouse with a £400,000 for a 2015 data breach that saw hackers access millions of people's data.