New hotels caught in Sabre's data breach

Two Roads was notified on June 6, 2017, that the hacking took place between August 2016 and March 2017.

As expected, the data breach disclosed by Sabre Corporation in early May that compromised its SynXis central-reservations system, exposing consumers' payment card data and personally identifiable information, has continued to grow. 

Earlier this month, Four Seasons, Trump Hotels, Hard Rock Hotels & Casinos, and Loews Hotels all announced that they were affected by the SynXis breach, and this week another hotel company has befallen the same fate—and another hotel suffered a data breach via malware.

Two Roads Hospitality, which manages a number of brands, including Joie de VivreThompson and Destination, has notified customers that hackers have gained access to personal guest information via the SynXis system. None of the hotel properties' computer or network systems was said to be affected by this incident. Two Roads was notified on June 6, 2017, that the hacking took place between August 2016 and March 2017. The hackers got hold of credit and debit card information including name, card numbers, expiration date and three-digit security codes. They also accessed some emails, phone numbers and addresses, but no Social Security, driver's license, or passport numbers were compromised.

Virtual Event

HOTEL OPTIMIZATION PART 2 | SEPTEMBER 10 & 24, 2020

Survival in these times is highly dependent on a hotel's ability to quickly adapt and pivot their business to meet the current needs of travelers and the surrounding community. Join us for Optimization Part 2 – a FREE virtual event – as we bring together top players in the industry to discuss alternative uses when occupancy is down, ways to boost F&B revenue, how to help your staff adjust to new challenges and more, in a series of panels focused on how you can regain profitability during this crisis.


In this week's second incident, the payment card system at Galt House Hotel experienced a security breach that allowed unauthorized access to guests' data, as well. The largest hotel in Louisville, Ky., with more than 1,300 guestrooms, said in a news release that the breach affected payments made from Dec. 21, 2016, to April 11, 2017.

On June 26, a Galt House investigation determined that malware had been installed on its payment card processing system that copied some guests' payment card data, including the cardholders' names, payment card account numbers, card expiration dates and verification codes.

The hotel said that after it was alerted to the incident, it initiated an investigation of the payment card system that supports card acceptance. It also hired a computer forensics firm to assist and coordinated with law enforcement.

In the original Sabre incident, the $3.37 billion corporation acknowledged that its SynXis software-as-a-service platform was accessed by an unauthorized party, who gained access to payment information corresponding to a subset of hotel reservations. Sabre did not specify when or how the actual intrusion took place or how many records are potentially affected. Sabre does not believe any other system was affected.

Sabre contacted law enforcement, began notifying affected customers and hired the cybersecurity investigatory firm Mandiant to investigate. According to Sabre’s marketing literature, more than 32,000 properties use Sabre’s SynXis reservations system.

Sabre told customers that it didn’t have any additional details about the breach to share at that time, so it remains unclear what the exact cause of the breach may be or for how long it may have persisted.

Suggested Articles

The absolute occupancy and RevPAR levels were the lowest for any Q3 in STR’s U.S. database.

Implementation of Volara’s contactless guest engagement and touchless room controls system is part of a rollout by Viceroy Hotels & Resorts.

U.S. hotel occupancy was virtually flat at 50.1 percent during the week of Oct. 11-17, according to the latest data from STR.