The Radisson Hotel Group reported its Radisson Rewards program was hit with a data breach sometime before October 1 exposing member’s personally identifiable information.

In a statement Radisson said unauthorized individual gained access to the database where member name, address (including country of residence), email address, and in some cases, company name, phone number, Radisson Rewards member number and any frequent flyer numbers on file were stored.

No credit card or password information was compromised, Radisson said, adding an individual’s travel history with Radisson was not in this system. No details on how the system was breached was shared.

The company did not release any information on how many members’ were exposed but did say, individuals who stayed at a Radisson Hotel, but are not Rewards Members, were not involved in the breach.

The data breach was discovered on October 1 and EU regulators were immediately notified, a company spokesman told SC Media. The company sent emails to the Rewards members notifying them of the incident on Oct. 30-31.

“The fact that passwords and financial information does not seem to be affected makes the likely impact of the breach much smaller,” said Ross Rustici, Cybereason’s senior director, intelligence services, adding, “The two large implications of this particular incident revolve around how the EU decides to enforce GDPR. Like the British Airways hack earlier this year, each major company that suffers an incident is going to be a testbed for how stringently GDPR gets enforced and what the private sector can actually expect from the regulations.”