Vision Direct Group Ltd said it has been hit by a cyber-attack, exposing the personal details of its customers.
The company, which sells contact lenses, glasses and other eye-care products, said customers who entered their details into its website between November 3 and 8 could be affected.
Compensation will be considered on individual basis
The group’s UK site and some of its European operations were hacked, compromising personal data including payment card numbers, expiry dates and CVV codes.
Vision Direct said is customers should contact their banks and/or credit card providers if they entered their details during the stated period.
"The personal information was compromised when it was being entered into the site and includes full name, billing address, email address, password, telephone number and payment card information, including card number, expiry date and CVV," it said on its website.
"We understand that this incident will cause concern and inconvenience to our customers. We are contacting all affected customers to apologise.”
The Vision Direct's Twitter account has been telling customers that "compensation will be considered on an individual basis should there be any material loss incurred”.
The BBC cited cybersecurity experts in reporting that a fake Google Analytics script placed within the site's code was the apparent cause of the attack.
The news outlet said a spokeswoman for Vision Direct said she would pass on its request for more information, including an estimate of how many people had been affected.