The Expedia-owned travel website operator said the breach affected an older website and the platform of an unnamed business partner. The information attackers “likely accessed” included people’s names, dates of birth, email addresses, street addresses, and genders, Orbitz said.

The breach, which took place between Oct. and Dec. and involved records dating between Jan. 1, 2016 and Dec. 22, 2017, did not affect its current website, Orbitz.com, nor did it involve any Social Security numbers, Orbitz said. The company said it “has not found any evidence” that other customer information was affected, like travel itineraries or passports.

Orbitz advised customers who used its services during the prescribed time period to check their credit and debit card billings statements and to contact their banks if they see any fraudulent charges.

Orbitz said it was in the process of notifying potential victims and that it would offer them a year of free credit monitoring services. Customers with questions can visit orbitz.allclearid.com for more information, the company said.

“We deeply regret the incident,” Orbitz said in a statement, noting that it was unsure whether hackers had indeed absconded with customer information. The company determined on March 1, 2018 that it had uncovered “evidence suggesting…an attacker may have accessed personal information,” it said.

“We took immediate steps to investigate the incident and enhance security and monitoring of the affected platform,” Orbitz said.

Expedia’s share price fell almost 2% during the day.