More than 11 million customers of the Nationwide building society have learnt that they may have been exposed to fraud after an employee's laptop was stolen in a domestic burglary three months ago.
Nationwide, which is the UK's biggest building society has come under fire from security groups for delaying disclosure of the breach.
According to a BBC report, details of the theft, which occurred at an employee's home in August, only emerged after a tip-off to reporters.
Nationwide says no PINs or passwords were on the stolen laptop but does not deny that customer names and account numbers could have been. The building society has also failed to say if the data was encrypted.
Nationwide says there is no sign that data had been stolen and no customers had lost any money as a result of the theft. The building society has informed the authorities and will be writing to customers to give them security advice in the next few weeks.
But the UK's National Consumer Council (NCC) says the three month delay in notifying customers of the theft was "appalling".
In an interview with the BBC, Phillip Callum from NCC called for the introduction of laws like those in California where companies are legally required to notify customers when personal data is exposed.