Millions of names and e-mail addresses were stolen from Epsilon, which handles e-mail marketing campaigns for 2,500 companies, including Marks & Spenser and the Ritz-Carlton, which were among the more than 40 companies affected by the breach.
Both companies have issued warnings to customers in the UK in recent days to be on the look out for phishing and scam e-mails.
Alliance Data, Epsilon and all its customers affected by the breach have emphasised that no financial details were taken, but security experts say the risk is high of receiving targeted phishing e-mails in future.
Rik Ferguson, director security research and communication at security firm Trend Micro, says that in reality the attacker not only has names and e-mail addresses, but also information about where these people shop, bank, stay on holiday and more.
Alliance Data says Epsilon is investigating the breach with federal authorities and outside forensics experts and implementing additional security protocols, according to a report from Agence France.
"We will leave no stone unturned and are dealing with this malicious act by highly sophisticated cyber thieves with the greatest sense of urgency," Alliance Data chief executive Ed Heffernan said in a statement.
Alliance Data recognises the impact the breach has had on its clients and their customers, he added.
"On behalf of the entire Alliance Data organisation, we sincerely apologise," Heffernan said.
This story was first published by Computer Weekly