"This attack could only be carried out with high criminal intent and insider knowledge and was launched deep inside the IT infrastructure of the company," Vodafone Deutschland said.
The stolen data included customers' names, gender, birthdates and addresses as well as their bank account and branch numbers, but not their mobile phone numbers, passwords, PIN numbers or credit card details, it said.
This meant that the cyber-criminal had netted insufficient data to access clients' bank accounts, said the company, a subsidiary of the British telecom provider of the same name.
It warned however of the risk of so-called "phishing" attacks in which fake emails try to trick customers into revealing their passwords.
"Vodafone deeply regrets the incident and apologises to all those affected," it added in a statement.
Only customers within Germany had been affected and would be contacted by mail. The company did not say when the attack had taken place.
Vodafone Germany said it had discovered the attack, stopped it and reported it to authorities but initially been asked not to make it public so as not to endanger a police investigation.
"They have now identified a suspect and searched his home," said the company.
"In coordination with the authorities, Vodafone Germany is now fully informing all affected persons and supporting them in avoiding possible adverse effects."