The company, which trades under names including Currys PC World, Carphone Warehouse and Dixons Travel, says that two separate incidents have led to the theft of around 1.2 million general user data files and a whopping 5.9 million card details.
Shares in Dixons Carphone, which issued a profit warning last month, fell as much as 6.4 percent on Wednesday, taking year-on-year losses to 37 percent.
The company said in a statement: Our investigation is ongoing and now indicates that there was an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons'. "The protection of our data has to be at the heart of our business, and we've fallen short here", he added. Again, Dixons said there was no evidence that it had resulted in any fraud.
Pin codes, card verification values (CVV), and authentication data enabling holder identification or purchases were not stored in the data.
The UK Information Commissioner's Office said it was aware of the data breach.
Video: Equifax teaches us what not to do after a data breach.
Others compared the Dixons Carphone breach to the compromise of U.S. retailer Target in arguing lessons have not been learned. That said around 105,000 details were from non-EU cards that may not have the same protections, so Dixons Carphone has informed the card companies in question so they can take action.
"We are determined to put this right and are taking steps to do so; we promptly launched an investigation, engaged leading cyber security experts, added extra security measures to our systems and will be communicating directly with those affected", he stated.
The company does not reveal when its systems were compromised; nor exactly when it discovered the intrusion; nor how long it took to launch an investigation - writing only that: "As part of a review of our systems and data, we have determined that there has been unauthorised access to certain data held by the company". Baldock added that Dixons Carphone has also "added extra security measures" to its systems.
Given the small number of affected cards and the fact that personal data did not leave the network, it's unlikely the firm will be in for a major GDPR fine, unless it emerges that the hackers took advantage of serious deficiencies in the firm's cyber-defenses.