Cyber crime experts investigating an attack on Loyaltybuild, which runs rewards schemes for companies across Europe, found more than 376,000 people have had their credit card details stolen.
The details of an additional 150,000 clients were potentially compromised in an attack on its data centre in Ireland.
Ireland's Data Protection Commissioner Billy Hawkes also revealed that the name, address, phone number and email address of 1.12 million clients were taken.
"The initial indications are that these breaches were an external criminal act," the watchdog said after being called in earlier today.
Loyaltybuild said it had been the victim of a sophisticated criminal attack.
It first raised concerns about a data security breach last month and the problem was initially thought to be limited to customers in Ireland.
More than 70,000 customers of the supermarket SuperValu, including more than 6,000 in Northern Ireland, and more than 8,000 at the insurance firm Axa were hit. Stena Line customers in Northern Ireland may also be affected.
Fraud squad officers and data protection inspectors spent the day at Loyaltybuild's headquarters and data centre in Ennis, Co Clare, after the extent of the breach emerged.
"The ODPC continues to warn customers to be vigilant in relation to their accounts and to report any suspicious transactions to their card company. Clients should also be vigilant in relation to suspicious communication of any kind which they receive," the commissioner said.
It is believed Loyaltybuild's data centre in Ireland - where it processes information on all its clients, was hacked.
"We are working around the clock with our security experts to get to the bottom of this and to further enhance our security in order to protect our valued customers, who are of paramount importance to us," Loyaltybuild said in a statement.
The company runs special offers and incentive schemes for major retailers, utilities and service providers in the UK, Ireland, Scandinavia and Switzerland.
And the fear is criminals will have all the information they need to use customers' credit cards.
Mr Hawkes suggested Interpol may have to be called in.
Data protection chiefs in the different European countries where Loyaltybuild has contracts have been alerted and the relevant banks and credit card companies have also been warned.
"Our inspectors will be looking closely at the quality of the security in place at Loyaltybuild to try to find out why this happened," Mr Hawkes said.
"But to be fair, there are extremely sophisticated cyber criminals out there who have succeeded in hacking into much larger companies around the world."
Cyber crime is worth about six billion euro (£5billion) a year, the data expert said.
"It's big business. The entry cost is low, it has its roots in traditional organised crime. It's a clean sort of crime. You have people sitting in front of a screen with real expertise in the technology," he added.
"They are hard to track down because they could well be operating from the other side of the world. It's a real insidious crime."
Loyaltybuild has operated leisure break schemes for the SuperValu supermarket chain, ESB energy firm and insurance company Axa in Ireland. It also ran schemes for the Coop in Norway and Sweden.
Loyaltybuild said a data breach was first identified on October 25.
It said it immediately tasked an expert forensic security team to investigate the source of the breach.
"As the safety of our customer data is of utmost importance to us, we immediately informed our clients of this new development so they could put their own processes in place to inform customers of any potential compromise to their data," it said.
"Unfortunately, the threat of cyber-attacks is increasingly becoming a reality of doing business today and Loyaltybuild would like to sincerely apologise for any distress or inconvenience caused."
Loyaltybuild operates both the SuperValu Getaway Breaks and Axa Leisure Breaks programmes.
SuperValu is now contacting customers to tell them there is a "high risk" that an unauthorised third party accessed details of payment cards used to pay for Getaway Breaks between January 2011 and February 2012.
The data, which is believed to have been stolen, was being held by Loyaltybuild.
SuperValu said the Getaway Breaks booking system has been suspended until further notice.
Likewise, Axa has pledged to contact all affected customers and will advise them to get in touch with their banks to check transactions on their payment cards for any suspicious activity.
Loyaltybuild boasts on its website that more than 3.5 million customers across Europe have taken a holiday break through them.
Established in 1999, the company is part of the Affinion International group and is headquartered in Ireland.