Hackers who attacked the now defunct website of second hand goods store Cash Converters may have access to the account details of thousands of customers.
Usernames, passwords, delivery addresses and potentially partial credit card numbers are among the data believed to have been stolen.
The culprits are said to be holding the information to ransom while the firm works with law enforcement authorities to investigate the incident.
It is not known exactly how many customers were impacted in the hack or when it happened.
Cash Converters operates high street stores where customers can trade items like jewellery and electronics for money.
The affected website, which was put out of action in September 2017 and replaced with an updated version, lets people purchase these products online.
As well as cash trade ins, the company offers small financial loans to its customers.
The data breech is only believed to affect customers of the Perth-founded firm who are based in the UK.
In a breach notification email sent to customers, a Cash Converters spokesman said: ‘Please be reassured that, alongside the relevant authorities, we are investigating this as a matter of urgency and priority.
‘We are also actively implementing measures to ensure that this cannot happen again.
‘Although some details relating to the cybersecurity breach remain confidential while Cash Converters works with the relevant authorities, we will continue to provide as much detail as possible as it becomes available.
‘The current webshop site was independently and thoroughly security tested as part of its development process.
‘We have no reason to believe it has any vulnerability, however additional testing is being completed to get assurance of this.
‘Our customers truly are at the heart of everything we do and we are both disappointed and saddened that you have been affected.
‘We apologise for this situation.’
Cash Converts reportedly received an email from hackers who claiming to have gained access to the data.
They threatened to release the data if they were not paid, which means anyone who used the old site before September 22 could be at risk.
Customers have been to advised to change their passwords and the firm has forced a reset for all UK webshop users.
Speaking about the breach, Jon Topper, CEO of UK webhosting firm The Scale Factory, said: ‘When migrating away from old solutions it’s important to bear in mind that old digital assets will still be running and available online until such time as they are fully decommissioned.
‘As a result they should still be treated as ‘live” which means maintaining a good security posture around them, keeping up with patching and so forth.
‘In their customer notification, Cash Converters were quick to point out that the old site was operated by a third party, possibly intending to deflect responsibility for this breach.
‘This definitely won’t fly under General Data Protection Regulation regulations coming into force next year.
‘Companies running server infrastructure that handles customer data should be engaging with experts to review their security posture ahead of that, in order to avoid being slapped with a large fine.’