Customers of Hawaii’s largest tour and transportation company may be getting billed for more than their luau visit, airport shuttle or sightseeing trip if they paid online in the last year or two.

Roberts Hawaii announced Friday that it is alerting customers who paid for services online over a 17-month period that their card information may have been stolen.

The company said several customers have reported fraudulent charges on card bills after paying for activities, transportation or other offerings on the Roberts Hawaii website. Roberts responded by hiring a cybersecurity firm, which found unauthorized computer code surreptitiously installed on its web server and designed to copy information from payment cards along with customer names, addresses and phone numbers.

Orders placed between July 30, 2015, and Dec. 14, 2016, may have been affected, Roberts said. The company has shut down its payment collection pages and substituted third-party online booking services.

Roberts has also set up a call center to answer customer questions about the breach at 877-235-0796 and has advisory information posted at robertshawaii.com/protectingourcustomers.

“Our customers’ confidence and trust are important to us, and we sincerely apologize for any inconvenience or concern this may have caused,” Wayne Fernandez, director of safety and security for Roberts, said in a statement.

The company began sending letters to customers Friday, asking them to review card statements for unauthorized activity.