A cyber attack on travel trade association Abta put data records of around 43,000 people at risk of being accessed.
The organisation said around 1,000 of these files may include "personal identity information" of consumers who had complained about a holiday.
The attack on Abta's website happened on February 27.
Abta chief executive Mark Tanzer said he would "personally like to apologise for the anxiety and concern" that the incident may have caused.
He went on: "It is extremely disappointing that our web server, managed for Abta through a third party web developer and hosting company, was compromised, and we are taking every step we can to help those affected.
"I will personally be working with the team to look at what we can learn from this situation."
Mr Tanzer said he was "not aware of any information being shared beyond the infiltrator".
Abta is the UK's largest travel association, representing travel agents and tour operators.
Consumers who book a package holiday with an Abta member are protected financially if the company goes bust.
The hacker exploited a "system vulnerability" with the abta.com web server to "access some data" provided by holidaymakers and travel firms, Abta said.
The association "immediately engaged security risk consultants" to assess the potential extent of the incident and informed the police and the Information Commissioner.
Abta said the "vast majority" of the 43,000 data records at risk relate to people who had registered on abta.com with email addresses and encrypted passwords, or filled out an online form with "basic contact details".
There is a "very low exposure risk to identity theft or online fraud" for these people, the company said.
It advised travel agents registered on its website to immediately change their passwords and called on people who had uploaded personal documents relating to their membership to "actively monitor" their bank accounts.