It has been reported that up to 2,000 customers who used the Jewson Direct online store between 23 August and 3 November could have been affected.
Jewson confessed to the data breach in a letter sent to customers on Friday, in which it warned that a whole range of information - including names, location, billing address, password, email, phone number, payment details, card expiry dates and CVV numbers - may have been stolen.
The missive stated: "As a Jewson Direct customers, we regrettably are writing to inform you that our website (www.jewsondirect.co.uk) has suffered a security breach and, as a result, your personal data including your credit/ debit card details may have been compromised."
"At this stage we are aware that a foreign piece of code was encrypted into the Jewson Direct (formerly Jewson Tools Direct) website," the letter continued. "The code has been identified and removed, and we are investigating the breach of security and any related potential loss of information/personal data."
The firm did, however, claim that no card data is stored by Jewson, but added: "until the investigation has been completed, customers have been informed of a potential breach of card data as an advisory measure."
The merchant's website, Jewson Direct, is currently offline for what the website says is "some maintenance".
A spokeswoman for the Information Commissioner's Office confirmed it had been notified of the incident.