Viator, the tours and activities provider acquired by TripAdvisor this summer, is notifying 1.4 million customers that a data breach affecting its websites and mobile offerings may have compromised their credit and debit card numbers, email addresses, and other personal information.

Viator posted notices online September 19 about the breach, although the company learned of a problem 17 days’ earlier when its payment card service provider informed Viator about unauthorized charges on “a number” of customers’ credit cards.

Of the ongoing investigation into what happened, Viator states:

“We have hired forensic experts, notified law enforcement and we have been working diligently and comprehensively to investigate the incident, identify how our systems may have been impacted, and secure our systems.”

Viator states that its forensic team is still confirming what happened, but it believes the following customer data may have been compromised: customer name; physical address; encrypted debit/credit card number; card’s expiration date; Viator account information, including email address, encrypted password and Viator nickname.”

Viator does not collect debit card PINs so these were not compromised, Viator states.

In addition to notifying customers, Viator urges customers to monitor their financial accounts, and it is offering U.S. customers identity protection and credit card monitoring services for free. It is also exploring what similar services are available for customers abroad.

“Responding properly to this incident is our top priority, and we are committed to taking all appropriate steps to safeguard our customers’ personal information,” Viator states. “For over 10 years, Viator’s mission has been dedicated to offering travelers the best tours and activities worldwide, and to delivering a superior experience in all our customer interactions.”

Here’s an FAQ about the incident.

The data breach could also have negative repercussions for parent company TripAdvisor, which welcomed Viator into the family August 11 — three weeks before the breach occurred.

The negative repercussions could be in the reputational sense. A TripAdvisor spokesperson is quick to point out that Viator’s and TripAdvisor’s platforms are not integrated.

“Viator and TripAdvisor are operated on separate systems with different design and security attributes, and with no overlap,” says TripAdvisor spokesperson Kevin Carter.

On the timing of notifying customers, a spokesperson for Viator says: “Viator began investigating immediately to understand the facts, determine the scope, and confirm the customers impacted. Communicating to customers was a priority and we were just this week able to determine the number of potentially impacted customers through our investigation. The investigation is ongoing but we communicated what we know at this time.”

“Viator deeply regrets any inconvenience and concern this incident may cause to their customers,” the spokesperson adds. “Right now, Viator’s highest priority is the safety and security of their customers’ information and maintaining the security of the site for travelers.”