The travel fare website Orbitz said on Tuesday that as many as 880,000 payment cards were impacted by a security breach, warning that hackers may have also accessed the personal information of its customers.

The company, which is owned by Expedia, told Gizmodo that it discovered a potential breach on March 1st during an investigation of a legacy Orbitz platform. Evidence suggests that, between October 1st and December 22nd, 2017, an attacker “may have accessed personal information stored on this consumer and business partner platform,” the company said.

Per Orbitz, the total number of payment cards impacted by the incident is approximately 880,000. No Social Security numbers were involved in the breach, the company said, and the current Orbitz.com website was not involved.

“As part of our investigation and remediation work, we brought in a leading third-party forensic investigation firm and other cybersecurity experts, began working with law enforcement, and took swift action to eliminate and prevent unauthorized access to the platform,” Orbitz said.

Information that was “likely accessed” includes names, payment card information (credit or debit card details), dates of birth, phone numbers, email and billing addresses, and gender, Orbitz said, while hedging on whether those responsible actually stole this data. “To date, we do not have direct evidence that this personal information was actually taken from the platform and there has been no evidence of access to other types of personal information, including passport and travel itinerary information,” the company added.

The company said it was working to notify impacted customers. It will offer affected consumers a year of complimentary credit monitoring and identity protection, wherever available.

Orbitz customers with questions were advised to call 1-855-828-3959 (toll-free U.S.) or 1-512-201-2214 (International).

This is a developing story.