Delta Air Lines Inc. said a cyber attack on a contractor potentially exposed the payment information of “several hundred thousand customers.”

A data breach from Sept. 26 to Oct. 12 at a company called [24]7.ai allowed unauthorized access to customers’ names, address, payment-card information, CVV numbers and expiration dates, Delta said in a statement Thursday. The vendor, which provides online chat services to Delta, notified the carrier and other clients last week.

The incident adds to a growing list of U.S. companies announcing cyber attacks in the past week that exposed the data of millions of people and, in some cases, sought to compromise operations. The attacks have affected a broad swath of industries, including retailers Hudson Bay Co. and Under Armour Inc., aerospace giant Boeing Co., natural gas pipelines and electric utilities.

Delta said it wasn’t yet able to say how many customers actually had their data stolen. The information was at risk if a customer entered data manually online to complete a payment transaction, Delta said. Data from customers who used a program called Delta Wallet weren’t compromised.

Sears Holdings Corp. said Wednesday it was notified in mid-March by the same contractor of a security incident that occurred last fall. The incident involved unauthorized access to fewer than than 100,000 of its customers’ credit-card information, Sears said.

While Delta has engaged federal law enforcement and forensic teams, the company had no information about who was behind the attack, including whether the perpetrator had any foreign connection. Last month, Bloomberg reported that Russian hackers attempted to penetrate the U.S. civilian aviation industry as part of a broad attack on U.S. infrastructure in early 2017, although that effort had limited impact.