Earlier this week after learning about the attack, the company stopped taking card payments via its site.
Recently an investigation has revealed that attackers stole data by exploiting a loophole in its payment system between mid-November 2017 and 11 January.
The company apologised and said affected customers would get free help to resolve card problems.
The company added that the malicious script ran "intermittently" and has now been expunged from the affected server. However, the loophole in its payment system that it exploited had also been eliminated.