Card processing firm Global Payments has provided more detail on the attack on its computer systems earlier this year, warning that the attackers may have had access to unspecified personal data.
Global Payments confirmed the attackers had access to details of 1.5 million cards, but it said the attack had now been contained.
Global Payments also revealed the attacks had gained access to servers containing personal information "from a subset of US merchant applications". While it could not ascertain whether the data had been copied, it would be notifying affected customers in the coming days.
It also said that it would provide those affected with credit monitoring and identity protection insurance.
“We sincerely apologise for this incident and are working diligently to conclude our investigation,” said Paul Garcia, chief executive of Global Payments.
The firm also confirmed that the attackers would only have gained access to so-called 'track two' data – which does not include addresses or social security numbers.
The systems breach was first detected in March. At that time, Global Payments said it thought up to 1.5 million Visa and Mastercard cardholders may have been affected, but it has taken it some time to confirm those numbers.
After that revelation, Visa removed Global Payments from its list of PCI compliant service providers.
Global Payments now said it aims to revalidate its PCI compliance status once it has finished investigating the breach and will look to get reinstated at that point.