The group, which trades as Carphone Warehouse, Currys and PC World in Ireland and the UK, said the attack had been carried out on a division that operates the websites OneStopPhoneShop.com, e2save.com and Mobiles.co.uk.
It discovered the breach in one of its IT systems last week.
The division also provides services to iD Mobile, TalkTalk Mobile, Talk Mobile, and to some Carphone Warehouse customers. More than 400,000 TalkTalk customers were reportedly affected.
The company said in a statement that it had learned of the data breach on August 5 and had taken immediate action to secure the systems.
Its investigation found that the names, addresses and bank details of up to 2.4m customers may have been exposed, along with the encrypted credit card data of up to 90,000 customers.
“We take the security of customer data extremely seriously, and we are very sorry that people have been affected by this attack on our systems,” group chief executive Sebastian James said.
“We are, of course, informing anyone that may have been affected, and have put in place additional security measures.”
The breach appeared to be one of the largest exposures of consumer data in Britain and Ireland.