Re: Why 90,000 customers out of 2.5 million?
When you sign up for a contract, they usually ask for your bank account details for the direct debit for your monthly payment, and they also ask for your credit card details. If there is any up-front charge, they normally charge this to a credit card. If there isn't, they normally make a tiny charge (1p, sometimes) to the credit card as a form of identity verification. (Credit card companies don't like this practice, but it still happens fairly often).
Carphone Warehouse have bought many other businesses over the years. This includes a number of web based mobile phone dealers - e2save, mobiles.co.uk and onestopphoneshop. They have typically kept these brands alive as separate brands. If you go to their websites, it is not obvious that they are Carphone Warehouse unless you read the small print (although if you actually buy a contract from them, they then become open about it after you have signed up). The prices on these websites are usually better than those on Carphone's own branded website or in their store, so I have bought phone contracts that way. I haven't yet received an e-mail from them telling me that they have lost my data, but maybe I will.
What it seems is that Carphone have not fully (or possibly at all) integrated their customer records from all the businesses that they have bought. Probably their systems are a horrible ad-hoc mess of incompatible systems nastily stitched together. Security practices are probably inconsistent and of varying quality. They have therefore had some customer records compromised and not others, and they took three days figuring out precisely which.