Delta Air Lines Inc and department store chain Sears Holding Corp confirmed on Wednesday that some of their customer payment information may have been exposed in a cybersecurity breach at software service provider [ 24]7.ai.

Delta said in a statement that it was informed on March 28 by [24]7.ai, a company that provides online chat services for Delta and many other companies, that [24]7.ai had been involved in a cyber incident. According to Delta, the incident occurred at [24]7.ai from Sept. 26 to Oct. 12, 2017, and during this time certain customer payment information for [24]7.ai clients, including Delta, may have been accessed.

Sears in its statement said the company was notified by [24]7.ai that they experienced a security incident last fall, leading to unauthorized access to less than 100,000 of their customers’ credit card information. The credit card information for certain customers who transacted online between September 27, 2017 and October 12, 2017 may have been compromised, Sears stated.

[24]7.ai in a statement said the company discovered and contained an incident potentially affecting the online customer payment information of some of their client companies. According to them, the incident began on Sept. 26, and was discovered and contained on Oct. 12, 2017.

All three companies say they have contained the situation, and are cooperating with law enforcement and forensic teams.

Delta said even though only a small subset of their customers would have been exposed, they cannot say definitively whether any of their customers’ information was actually accessed or subsequently compromised.