In a statement, the company said the attack, which was only made possible through insider access, provided the hacker with customers' names, addresses, birthdates, genders, bank sort codes and account numbers. No credit information, passwords, PIN numbers, or mobile phone numbers were accessed.
Still, the statement notes that the data could easily be leveraged to launch phishing attacks aimed at gathering victims' passwords and credit card information, so all customers are advised to be cautious in responding to any phone or e-mail inquiries requesting their personal data.
According to the statement, a suspect has already been identified.
BBC News reports that the company was asked by police to delay notifying customers until the suspect was identified and his home was searched.