The Organization provides a platform to host online registration and payment services for athletic races and similar events. In October 2017, the Organization became aware of suspicious activity on one of its systems through social media activity, customer complaints and reports from the card brands.The Organization investigated and determined the suspicious activity related to transactions manually keyed in by users while checking out on the Organization?s website, and that an unauthorized third party may have accessed personal information provided by users between December 2016 and September 2017. The investigation also determined that the unauthorized third party used customer credentials (i.e. belonging to a race or event organizer) to access the network. The Organization believes the credentials were taken from the customers by way of a phishing attack or social engineering. Because the unauthorized third party used customer credentials, this access did not appear to be unauthorized. The unauthorized third party was able to gain further access into the Organization?s environment and the presentation layer of an application that is part of the checkout process.