Four Seasons Hotels and Resorts and Trump Hotels are the latest hotel companies to be hit with a data breach that occured via their third-party hotel reservations provider, Sabre Hospitality Solutions. Both incidents are linked to a credit card data breach in Sabre's SynXis hotel-reservations system. Sabre’s investigation found that it was contained to "a limited subset of hotel reservations," but an unauthorized party did have access to credit card numbers, expiration dates and cardholder names.
From Aug. 10, 2016, to March 9, 2017, guest information related to a group of hotel reservations (unencrypted payment card information, reservation information) booked through Sabre’s SynXis central-reservations system was accessed by an unauthorized party.
“It’s unfortunate that the system that was hacked isn’t owned by the hotels but by the service provider,” said Patrick Dunphy, CIO of Hospitality Technology Next Generation. “Obviously the hotel owns the guest relationship and that’s what will be hurt. It’s important to remember that the hack only impacts a single booking channel—that thankfully reduces the scope tremendously.”
Reservations made on FourSeasons.com, with the Four Seasons global reservations office or made directly with any of Four Seasons’ 105 hotels or resorts were not compromised by this incident, the company said. Likewise, the breach related to Trump Hotels did not take place on Trump Hotels’ own reservations systems.
Four Seasons’ and Trump Hotels’ SynXis data breaches come on the heels of Hard Rock Hotels & Casinos and Loews Hotels revealing they were both impacted by the same hack earlier this week. Carlson Wagonlit Travel, used by some Google employees, was also affected.
“Why are hackers targeting hotels? Well, because they’re a good target,” Peter W. Singer, a senior fellow at the New America Foundation, told the Washington Post. “Then you look at Trump’s hotels, and they’re obviously a highly symbolic target. If more people are staying there in an attempt to curry favor with the government, the fishing pool of targets is certainly greater than it was prior to November.”
The industry as a whole will need to take a closer look at its technology providers, Dunphy said. “Hotels aren’t tech companies—that’s why they require a guarantee from their providers to ensure their guests’ safety.”
Dunphy believes Sabre will be impacted in the short- and long-term as a result of this hack. “They will likely have significant costs related to this,” he said. “Like retailers Target and Home Deport, they should be able to weather the storm in the short-term but that can change in the long-term.”
When dealing with a third-party provider, hotels need to be vigilant with their systems, Dunphy said, by making sure the providers are meeting payment card industry compliance and following best practices. “They need to ensure their guests’ data is protected,” he said.
HTNG’s CISO forum is compiled of hotel chief information security officers, in order to have a place where they can confidentially share information about security threats, best practices, security management and solutions. Dunphy recommends hotels participate in the forum to stay on top of potential threats as well as learn precautions to take to avoid such threats.
Sabre is currently collaborating with a cybersecurity firm to support its investigation, and has notified law enforcement and major credit card companies of the incident.