The attack was discovered on Wednesday, and made public on Saturday.
The encrypted credit card details of up to 90,000 people may have been accessed, the mobile phone firm said.
The Information Commissioner’s Office, which examines data breaches, confirmed it was aware of the incident.
Carphone Warehouse says the data could include names, addresses, dates of birth and bank details and it is contacting all those affected.
Carphone Warehouse claims it was the victim of a “sophisticated” cyber-attack, which was stopped “straight away” after it was discovered on Wednesday.
The affected division of the company operates the websites OneStopPhoneShop.com, e2save.com and Mobiles.co.uk, and provides services to iD Mobile, TalkTalk Mobile, Talk Mobile and some Carphone Warehouse customers.
The retailer’s owner, Dixons Carphone, has apologised for the attack and said additional security measures have been brought in. It has also taken the affected websites down.
The Information Commissioner will work out if Carphone Warehouse had done enough to protect customer data from hackers.
A spokesman for the Information Commissioner’s Office said: “We have been made aware of an incident at Carphone Warehouse and are making enquiries.”
The Metropolitan Police said its Cyber Crime Unit had been notified of the breach by Carphone Warehouse but no formal allegation of a crime had been made.
The Met said it had not had any reports of fraudulent banking activity.