The Madison Square Garden Company, which operates the popular self-named arena in New York City among other properties, has disclosed a data breach affecting its customers.
Thieves stole credit and debit card information from customers of its concession stands over a year-long period, the company revealed on Tuesday. The cause of the breach has since been resolved, the company said.
Anyone who purchased food, drink, or other merchandise at the company’s properties between Nov. 9, 2015 and Oct. 24, 2016 may have had their payment card information filched. According to the disclosure, affected venues may include Madison Square Garden, the Theatre at Madison Square Garden, Radio City Music Hall, Beacon Theater, and Chicago Theater.
Get Data Sheet, Fortune’s technology newsletter.
The company did not say how many people had been targeted after buying, say, pizza, beer, or T-shirts, at these sites. It revealed, however, that the crooks had nabbed payment card numbers, names, expiration dates, and internal verification codes from the cards.
The thieves are said to have installed malware, or malicious software, on the company’s payment processing system to capture this information. People who bought tickets to see concerts, performances, or sporting events on the MSG websites, at its box offices, or on Ticketmaster were not affected, it said.
The Madison Square Garden Company learned of the breach after several banks discovered a common pattern of fraudulent transactions that traced back to its venues, the company said. It recommended that customers keep an eye on their payment records and alert their banks about any fraudulent charges.
For more on data breaches, watch:
“MSG has stopped this incident, and we continue to work with the computer security firms to further strengthen the security of our systems to help prevent this from happening again,” the company said. “We regret any inconvenience this may have caused.”
The company said it is working with law enforcement to investigate the theft.