In a statement, Dixons Carphone said that "unauthorised access" of data held by the company had prompted an investigation, the hiring of external security experts and efforts to shore up its security defences.
It has informed police, the Information Commissioner's Office and the Financial Conduct Authority but gave no explanation as to why it is only just telling the people at the sharp-end - its customers. Under GDPR, which came into force last month, companies must notify the authorities within 72 hours of a serious data breach.
The statement goes on to say that the firm has "no evidence to date of any fraudulent use of the data as result of these incidents" before admitting the compromised information included (incomplete, in some cases) payment card data.
It reads: "Our investigation is ongoing and currently indicates that there was an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores. However, 5.8 million of these cards have chip and PIN protection.
"The data accessed in respect of these cards contains neither PIN codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made. Approximately 105,000 non-EU issued payment cards which do not have chip and PIN protection have been compromised."
The company claims it "immediately notified the relevant card companies via our payment provider about all these cards so that they could take the appropriate measures to protect customers. We have no evidence of any fraud on these cards as a result of this incident".
The retailer has previous. Three years ago a similar incident exposed the personal details of over 3 million Carphone Warehouse customers and 1,000 staff, and triggered a £400,000 fine for what the ICO described as “multiple inadequacies” in the firm's approach to data security.
Dixons Carphone chief executive Alex Baldock apologised to customers, adding: "We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business, and we've fallen short here. We've taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously."