Online booking agent Viator has sent emails to 1.4 million customers notifying them of a data breach affecting its websites and mobile offerings.

The organisation, which was acquired by TripAdvisor earlier this year, said the breach may have compromised their credit and debit card numbers, email addresses, and other personal information.

Viator posted notices online September 19th about the breach, although the company learned of a problem 17 days’ earlier from its payment card service provider.

The company had been informed about unauthorised charges on “a number” of customers’ credit cards.

In a statement Viator explained: “We have hired forensic experts, notified law enforcement and we have been working diligently and comprehensively to investigate the incident, identify how our systems may have been impacted, and secure our systems.”

In addition to notifying customers, Viator urged customers to monitor their financial accounts, and is offering US customers identity protection and credit card monitoring services for free.

It is also exploring what similar services are available for customers abroad.

Commenting on the situation, Voltage Security vice president, Mark Bower, said: “Online businesses handling large volumes of sensitive data are always at risk of data breaches from advanced attacks. 

“Recent malware variants have focused on stealing live sensitive data in use and in transit and in active processing systems.

“Even if organisations encrypt disks or servers, it does not reduce the threat of advanced malware capable of stealing live data from active systems.”