The Information Commissioner's Office (ICO) has confirmed that it is now investigating the cyber attack at Carphone Warehouse after 2.4 million customer details and up to 90,000 credit card records were stolen.
The ICO told V3 that it has logged the incident and is now making enquiries, and warned that "anytime personal data is lost there can be a risk of identity theft".
"There are measures you can take to guard against identity theft, for instance being vigilant around items on your credit card statements or checking your credit ratings. There are more tips and information on our website," the ICO said.
Dr Chenxi Wang, vice president of cloud security and strategy at CipherCloud, has said she is closely watching the ICO's next move.
"Carphone Warehouse is a repeat offender as its Talk Talk service succumbed to a breach last year. Given the circumstances, I would advise the ICO to consider if Carphone Warehouse has since tightened security controls for protecting customer information," she said.
"It would demonstrate extreme negligence on their part to have made no real changes to their security postures. This time around, the resulting penalty must have teeth to stop repeat offenders and compel companies to improve the robustness of their security measures."
Wang added that Carphone Warehouse "must match their rhetoric of taking information security seriously".
"To move on from this incident, the company should immediately implement measures to prevent data proliferation and data creep; technologies such as strong encryption or tokenisation serve the exact purpose. These moves will help assure all customers of the company's commitment to proactively protecting customers," she said.
The stolen data from Carphone Warehouse includes names, addresses, dates of birth and bank records, and the firm has reported that the encrypted credit card data of up to 90,000 customers may also have been accessed.
The targeted division of Carphone Warehouse operates the websites OneStopPhoneShop.com, e2save.com and Mobiles.co.uk, and provides a number of services to iD Mobile, TalkTalk Mobile and Talk Mobile.
Carphone Warehouse said it is now contacting partners and customers who have been affected by the breach and has put "additional security measures" in place to protect against further attacks.
Currys, PC World and the "vast majority" of Carphone Warehouse customer data is held on separate systems and was not accessed during this incident, according to parent company Dixons Carphone.
Sebastian James, group chief executive of Dixons Carphone, apologised to customers for the breach and the firm was doing everything it could to mitigate the fallout
"We are very sorry that people have been affected by this attack on our systems. We are, of course, informing anyone that may have been affected, and have put in place additional security measures," he said.
However, Klaus Gheri, vice president and general manager of network security at Barracuda Networks, warned that the latest breach shows "that most organisations are not doing enough to keep data safe".
"With email addresses compromised as a result of the Carphone Warehouse breach, organisations and individuals must stay vigilant to the potential for spear phishing attacks. Having access to the email addresses could allow the hackers to build a detailed profile of their target and create a very specific attack," he said.
"As well as putting security systems in place, businesses, employees and consumers alike need to remain vigilant and question any unexpected email with an attachment that arrives in their inbox."
Charles Sweeny, chief executive of internet security filtering firm Bloxx, said that concerned customers should change their passwords and check their bank activity.
"Of course, companies need to understand the scope of the attack, but this exercise needs to be undertaken rapidly so that consumers can be engaged and supported in a timely way," he added.
"How a brand handles a breach is the difference between retaining and losing customers. I think most would argue that 72 hours is too long."
A new RSA report urges coders to sign a 'Hippocratic Oath' before embarking on AI programmes.
IT security vendor believes APT33 is working for the Iranian government
Darktrace pushes machine learning to take some of the pressure off of IT and security teams
Google also gets its hands on HTC's IP in a non-exclusive deal