Sportswear chain JD Sports has said stored data relating to 10 million customers might be at risk after it was hit by a cyber-attack.
The company said information that "may have been accessed" by hackers included names, addresses, email accounts, phone numbers, order details and the final four digits of bank cards.
The data related to online orders between November 2018 and October 2020.
JD Sports said it was contacting affected customers.
The group said the affected data was "limited". It added it did not hold full payment card details and did not believe that account passwords were accessed by the hackers.
"We want to apologise to those customers who may have been affected by this incident," said Neil Greenhalgh, chief financial officer of JD Sports. "Protecting the data of our customers is an absolute priority for JD."
The attack related to online orders placed for the JD, Size?, Millets, Blacks, Scotts and MilletSport brands and it is understood it was detected by the company in recent days, but only the historical data was accessed.
The company said it was working with "leading cyber-security experts" and was engaging with the UK's Information Commissioner's Office (ICO) in response to the incident.
Mr Greenhalgh said affected customers were being advised "to be vigilant about potential scam e-mails, calls and texts".
Cyber-attacks have hit several UK companies in recent times. Royal Mail became the victim of a ransomware attack earlier this month which led to it halting post and parcel deliveries overseas.
In December, the Guardian newspaper was also targeted by a suspected ransomware attack.
Lauren Wills-Dixon, solicitor and an expert in data privacy at law firm Gordons, said retailers were among the most common targets for cyber-attacks because of the large amounts of customer data they hold, and said firms needed to do more to plan for them.
But she said the increased use of technology by the industry "to reduce overheads and streamline operations has raised the risk even further".
"In this new world, it's not 'if' but 'when' a cyber-attack will happen," she said.
A spokeswoman for the ICO confirmed it was aware of the attack and that it was assessing information provided by JD Sports.
Scott Nicholson, co-chief executive of cyber security company Bridewell, said it was seeing a rise in malicious software, known as "malware" being used by criminals to steal information from companies.
"It is good to see JD Sports stating that they are working with experts to help from a containment and recovery perspective, but once the dust has settled their comments of 'we take the protection of customer data extremely seriously' will be put to the test by the ICO," he added.
Royal Mail hit by Russia-linked ransomware attack
Suspected ransomware attack on Guardian newspaper
US secures deal on bases to complete arc around China
Russian officer: Our troops tortured Ukrainians
Black history syllabus changed after 'woke' claims
Russian army officer: Our troops tortured Ukrainians
US secures deal on bases to complete arc around China
Can Sri Lanka trade its way back to prosperity?
Why ballroom dancing thrives in Asian communities. Video
Why lifting opposition ban suits Tanzania's leader
Devastation from the air: A new tactic in Myanmar's brutal civil war
Black officers reckon with death of Tyre Nichols
The world's most influential school?
How a tiny radioactive capsule was found in the outback
A remedy for low motivation and passion
The 90s cop show that changed TV
How one volcano could make global chaos
© 2023 BBC. The BBC is not responsible for the content of external sites. Read about our approach to external linking.
