Orbitz, a subsidiary of online travel agency Expedia, said on Tuesday that hackers may have accessed personal information from about 880,000 payment cards.
The unit said an investigation showed that the breach may have occurred between 1 January 2016 and 22 December 2017 for its partner platform and between 1 January 2016 and 22 June 2016 for its consumer platform.
Information such as names, phone numbers, email and billing addresses may have been accessed, the travel website operator said, adding that its website, Orbitz.com, was not impacted.
"To date, we do not have direct evidence that this personal information was actually taken from the platform and there has been no evidence of access to other types of personal information, including passport and travel itinerary information," Orbitz said.
For U.S. customers, social security numbers were not involved in this incident, the company said, with the organisation claiming to have addressed the breach after it was discovered in March this year.
Meanwhile, credit card issuer American Express said in a statement that the attack did not compromise its platforms.
Founded in 1999, Orbitz.com is a travel website where consumers can search for and book a broad range of hotels, flights, car rentals, cruises, vacation packages and destination activities.
The business was acquired by Expedia for US$1.6 billion in February 2015, almost 12 months before the first breach occurred.
Specific to Expedia, the group controls an expansive brand of online travel brands, including Hotels.com, Hotwire, Travelocity and Egencia, alongside Trivago, Wotif Group and CarRentals.com.
Meanwhile, the breach is the latest in the travel sector and follows attacks on global hotel chain InterContinental Hotels and Hyatt Hotels last year.
Expedia's shares fell as much as 1.9 per cent to US$108.99.
(Reporting by Vibhuti Sharma in Bengaluru; Editing by Anil D'Silva and Sriraj Kalluvila)