Sabre discloses hotel reservations system security breach

Sabre Corporation disclosed a breach of its hospitality solutions SynXis central-reservations system that may have exposed consumers' payment card data and personally identifiable information.

According to an SEC filing made by the company on Tuesday, the $3.37 billion corporation acknowledged that its SynXis software-as-a-service platform was accessed by an unauthorized party, who gained access to payment information corresponding to a subset of hotel reservations. Sabre did not specify when or how the actual intrusion took place or how many records are potentially affected. Sabre does not believe any other system was affected.

"The unauthorized access has been shut off and there is no evidence of continued unauthorized activity. There is no reason to believe that any other Sabre systems beyond SynXis Central Reservations have been affected," the company reported in its quarterly filing and a related press statement.

Sabre contacted law enforcement, began notifying affected customers and hired the cybersecurity investigatory firm Mandiant to investigate. According to Sabre’s marketing literature, more than 32,000 properties use Sabre’s SynXis reservations system.

Sabre told customers that it didn’t have any additional details about the breach to share at this time, so it remains unclear what the exact cause of the breach may be or for how long it may have persisted, reports Krebs on Security. A card involving traveler transactions for even a small percentage of the 32,000 properties that are using Sabre’s impacted technology could jeopardize a significant number of customer credit cards in a short amount of time.

Shane Stevens, director, omni-channel trust and identity solutions, VASCO Data Security, told InfoSecurity Magazine that multiple-factor authentication controls, securing end-to-end profile and payment transaction data, and protection of the mobile app are just some areas that need to take priority. 

“Outside of being very concerned about using my mobile device to access my room, I would personally tell all consumers to cease and lock away the use of all debit cards and instead use charge cards to transact in order to protect themselves, as at this point, we are just not sure what is safe anymore,” he added. 

Most recently, InterContinental Hotels Group saw 1,200 of its franchised hotels in the United States hacked over a three-month period, but there have been a huge string of acknowledged breaches in the past two years: Kimpton Hotels, HEI Hotels and Resorts, Millennium Hotels & Resorts North America, the Hard Rock Hotel & Casino in Las Vegas (twice), Trump Hotels (twice), Golden Nugget hotels, Mandarin Oriental, Omni Hotels, and White Lodging all have been victims of data breaches.

"While we don't know the specifics of who had unauthorized access to the information and what tactics were used, we've seen from similar attacks that hackers gain access with co-opted credentials of someone with too much access,”  Ken Spinner, VP of field engineering at enterprise infosec management company Varonis Systems, told SC Magazine. “The attack on Hyatt earlier this year is a perfect example of hackers gaining access to payment systems by exploiting excessive employee permissions.”

The pain of a data breach can continue for hotels way beyond the original event. Earlier this year, Rosen Hotels was sued over data-breach payments stemming from a breach in early 2016. It threatens to cost the company more than $2.4 million. St. Paul Fire & Marine Insurance has filed a lawsuit asking a Florida judge to formally state that the insurance company is not responsible for paying any costs related to the breach.

In the suit, St. Paul's is claiming a data breach and any ensuing losses are outside the scope of the commercial general liability policy and it wants a judgment by the court confirming this stance.