The electricals retailer said it would be contacting 1.2m customers who had non-financial data such as their name and address taken in the breach.
Dixons Carphone said that "unauthorised access" of data held by the company had prompted an investigation, the hiring of external security experts and efforts to shore up its security defences.
It said its ongoing investigation indicated there was an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores.
Alex Baldock, the company's new chief executive, apologised for the data for breach and admitted the firm had failed customers.
The remaining 105,000 cards are a non-EU issue and these will be vulnerable to fraud. "We have no evidence to date of any fraudulent use of the data as result of these incidents", the company said.
'We've taken action to close off this unauthorised access and though we have now no evidence of fraud as a result of these incidents, we are taking this extremely seriously.
The data did not contain pin codes, card verification values (CVV) or any authentication data according to Dixons Carphone. "We've taken action to close off this unauthorised access and though we have now no evidence of fraud as a result of these incidents, we are taking this extremely seriously", the CEO said. It said there was no evidence of fraud here either.
The breach was now being investigated by police, it said, while regulators had also been informed.
"The protection of our data has to be at the heart of our business, and we've fallen short here", he said.
It comes after telecoms firm TalkTalk was hit by a major cyber attack in 2015.
"The fact this only came to light now thanks to a review of the company's systems and data and actually occurred in 2017 is also cause for some concern", he said.
The maximum possible financial penalty under the 1998 Act is 500,000 pounds as opposed to 17 million pounds (20 million eur) under GDPR.