The travel agents organisation ABTA says 43,000 members and travellers may have had their personal information stolen in a cyber attack.
It says the attack was perpetrated by an external infiltrator on its web server on 27th February.
ABTA says most of the information taken is what it calls "low risk", including email addresses and encrypted passwords.
But up to 1,000 holidaymakers who uploaded documents to do with holiday complaints may have been more seriously affected.
In their cases photographs, addresses and phone numbers could have been accessed, although ABTA says banking details would not have been available.
Also, more detailed information about 650 travel agents could have been hacked, along with documents supporting their membership applications.
They are being told to monitor their bank accounts and to be vigilant about online fraud.
ABTA says the vulnerability in its server has been identified and dealt with. It wasn't able to identify the infiltrator was, saying that was now a matter for the police.
Mark Tanzer, ABTA's chief executive, apologised for the anxiety and concern the incident had caused.