Viator was acquired by TripAdvisor, the world's largest travel site, for £122 million (US$ 200 million) last month – and TripAdvisor saw its NASDAQ shares slump 4 percent after the breach was disclosed, though they partially recovered later.
US-based Viator - which has a regional office in London - admitted late on Friday that criminals have hacked into some of its customers' payment card accounts and made unauthorised charges.
The breach was found in the bookings made through Viator's websites and mobile apps which run on Apple and Android devices.
Viator was first told of the hack by its payment card service provider on 2 September – more than two weeks before it went public. It has called in digital forensic experts and the police.
The company said: “While our investigation is ongoing, we are in the process of notifying approximately 1.4 million Viator customers who had some form of information potentially affected by the compromise.”
Viator says around 880,000 customers may have lost their payment card information – including encrypted credit or debit card numbers, card expiration date, name, billing and email addresses.
These customers may also have had their Viator account information stolen, which includes their email address, encrypted password and Viator ‘nickname'.
Another 560,000 customers may have lost this account information.
Viator's investigation into the breach is continuing. “We have been working diligently and comprehensively to investigate the incident, identify how our systems may have been impacted, and secure our systems,” the company said.
It has warned all affected customers to monitor their card activity and report any fraudulent charges to their card company.
“Customers will not be responsible for fraudulent charges to their accounts if they are reported in a timely manner,” Viator said.
The company is also pushing customers to reset their passwords for its site, and anywhere else the password is used.
It added: “We have no reason to believe at this time that the three or four-digit code printed at the back or front of customers' cards were compromised. Additionally, debit PIN numbers are not collected by Viator and could therefore not be compromised.”
Viator is also making extra provision for US customers, though not yet for those in the UK.
It said: “We are offering free identity protection services, including credit monitoring, for our customers in the US. We continue to explore whether there are appropriate comparable options for our customers outside the US who may have been affected by this compromise.”
Viator offers travel tours and attractions in 1,500 destinations. When it was acquired last month TripAdvisor CEO Stephen Kaufer said: "Viator will be a great addition to the TripAdvisor family, as online and mobile bookings for attractions and activities represents a huge opportunity for our business."
But Viator has become the latest in a long line of payment card breaches, including US retailers Target and Home Depot.
Security experts have pointed out that one saving grace is its customer passwords were encrypted, but have criticised Viator's delay in making the breach public.