Sabre discloses hotel reservations system security breach

Sabre Corporation disclosed a breach of its hospitality solutions SynXis central-reservations system that may have exposed consumers' payment card data and personally identifiable information.

According to an SEC filing made by the company on Tuesday, the $3.37 billion corporation acknowledged that its SynXis software-as-a-service platform was accessed by an unauthorized party, who gained access to payment information corresponding to a subset of hotel reservations. Sabre did not specify when or how the actual intrusion took place or how many records are potentially affected. Sabre does not believe any other system was affected.

"The unauthorized access has been shut off and there is no evidence of continued unauthorized activity. There is no reason to believe that any other Sabre systems beyond SynXis Central Reservations have been affected," the company reported in its quarterly filing and a related press statement.


Like this story? Subscribe to IHIF!

The hospitality industry turns to IHIF International Hotel Investment News as the must-read source for investment and development coverage worldwide. Sign up today to get inside the deal with the latest transactions, openings, financing, and more delivered to your inbox and read on the go.

Sabre contacted law enforcement, began notifying affected customers and hired the cybersecurity investigatory firm Mandiant to investigate. According to Sabre’s marketing literature, more than 32,000 properties use Sabre’s SynXis reservations system.

Sabre told customers that it didn’t have any additional details about the breach to share at this time, so it remains unclear what the exact cause of the breach may be or for how long it may have persisted, reports Krebs on Security. A card involving traveler transactions for even a small percentage of the 32,000 properties that are using Sabre’s impacted technology could jeopardize a significant number of customer credit cards in a short amount of time.

Shane Stevens, director, omni-channel trust and identity solutions, VASCO Data Security, told InfoSecurity Magazine that multiple-factor authentication controls, securing end-to-end profile and payment transaction data, and protection of the mobile app are just some areas that need to take priority. 

“Outside of being very concerned about using my mobile device to access my room, I would personally tell all consumers to cease and lock away the use of all debit cards and instead use charge cards to transact in order to protect themselves, as at this point, we are just not sure what is safe anymore,” he added. 

Most recently, InterContinental Hotels Group saw 1,200 of its franchised hotels in the United States hacked over a three-month period, but there have been a huge string of acknowledged breaches in the past two years: Kimpton Hotels, HEI Hotels and Resorts, Millennium Hotels & Resorts North America, the Hard Rock Hotel & Casino in Las Vegas (twice), Trump Hotels (twice), Golden Nugget hotels, Mandarin Oriental, Omni Hotels, and White Lodging all have been victims of data breaches.

"While we don't know the specifics of who had unauthorized access to the information and what tactics were used, we've seen from similar attacks that hackers gain access with co-opted credentials of someone with too much access,”  Ken Spinner, VP of field engineering at enterprise infosec management company Varonis Systems, told SC Magazine. “The attack on Hyatt earlier this year is a perfect example of hackers gaining access to payment systems by exploiting excessive employee permissions.”

The pain of a data breach can continue for hotels way beyond the original event. Earlier this year, Rosen Hotels was sued over data-breach payments stemming from a breach in early 2016. It threatens to cost the company more than $2.4 million. St. Paul Fire & Marine Insurance has filed a lawsuit asking a Florida judge to formally state that the insurance company is not responsible for paying any costs related to the breach.

In the suit, St. Paul's is claiming a data breach and any ensuing losses are outside the scope of the commercial general liability policy and it wants a judgment by the court confirming this stance. 

Suggested Articles

The 671-room hotel will feature a 210,000-square-foot casino, 15 restaurants and lounges and 50,000 square feet of conference space.

A hospitality veteran with more than three decades of experience, Heather McCrory will oversee more than 115 hotels and 28,000 employees.

The Hyatt Place Dubai/Wasl District is the third property in Hyatt’s select-service portfolio in the United Arab Emirates.