The company began notifying affected customers via telephone and e-mail over the weekend and by late Sunday had informed Visa and MasterCard about which of its cardholders had been affected.
Western Union spokesman Peter Ziverts said, so far, no cases of credit card fraud have been reported to the Englewood, Colo.-based company. Visa International and MasterCard International Inc. have begun monitoring customers' accounts for possible fraudulence, Ziverts said.
Western Union, a unit of Atlanta-based First Data Corp., first learned the Web site had been hacked on Friday. The Internet-based money-transfer service began in June, though the company was planning an official launch of the Web site sometime this month. Ziverts said the launch would likely be delayed.
Marc Rotenberg, executive director of the Washington-based Electronic Privacy Information Center, said the Western Union security breach reflects the risks to consumers as companies rush to do business on the Internet.
"In the end, what matters to consumers is that the companies to which they entrust their credit card numbers and personal information will be able to safeguard that data," Rotenberg said.
Last week, American Express announced it will offer disposable credit card numbers for safer online shopping, part of a bid to address privacy and security issues analysts say have slowed the growth of e-commerce.
Online money transfer accounts for an "absolutely minuscule" portion of the company's total transactions, Ziverts said. He would not say how much online business the company has lost due to the problem.
The Web site that was hacked -- www.westernunion.com -- also allows customers to apply for a loan, send messages and locate the nearest Western Union store. Customers using these services were not affected.
Western Union offers similar services on a separate Web site -- www.westernunionmoneyzap.com -- and customers using that site were not affected.
Ziverts said the problem was caused by human error and not an inherent technical flaw. Employees conducting regular maintenance left parts of it unprotected, allowing hackers to break in, he said. He said it was not an inside job.
The company has not taken any disciplinary action.
The company and law enforcement were investigating the breach, but Ziverts declined to provide further details about the probe or say what agencies were involved. The FBI office in Denver would not say whether it was participating.
Western Union carried out 73 million money transfer transactions worldwide last year. Most of them are done through agents in stores and other locations, others by hone. Only customers who used the Web site were affected, the company said.
Ziverts said the Western Union customers who use the Web site to transfer money tend to be wealthier than those who use the traditional method middle-income and above, he said, as opposed to middle-income and below for customers using the agents.
The company has set up a toll-free number for complaints: 1-800-228-6530.