UK ISP TalkTalk says customers' credit-card and banking details may have been accessed by hackers after a "sustained cyberattack" on its website this week.
Following its second major breach in the past year, the British broadband provider has vaguely admitted it may have failed to protect customers' financial data properly.
Among details it says may have been "accessed" were customers' name, address, date of birth, email address, telephone number, account information, credit-card, and bank-account details.
The company has not said whether users' passwords were also accessed and has not clarified what data was encrypted.
"Not all of the data was encrypted," TalkTalk said in a support notification.
The company hasn't explained how hackers breached its website but said, "We believed our systems were as secure as they could be."
"As soon as we realised the website was under attack, we pulled the website down in an effort to protect data."
The UK Metropolitan Police Cyber Crime Unit began an investigation into the hack on Thursday, following the Wednesday attack, according to TalkTalk.
Customers have complained since Wednesday, when the site was pulled offline without an explanation from the ISP.
People purporting to be a Russian Islamist group have claimed responsibility for the hack.
The breach reportedly followed a distributed denial-of-service (DDoS) attack on TalkTalk's website, although there is no explanation for how junk traffic hitting the company's web servers translated into a breach of its internal systems.
If TalkTalk indeed failed to encrypt its users' credit-card data, it could be looking at a serious fine. The UK's Information Commissioner's Office hit an online insurance firm with a £175,000 fine after its security failings allowed hackers to access customer records.
TalkTalk customers were targeted by fraudsters earlier this year following a breach of its internal security procedures linked to its use of a third-party call centre.