New hotels caught in Sabre's data breach

As expected, the data breach disclosed by Sabre Corporation in early May that compromised its SynXis central-reservations system, exposing consumers' payment card data and personally identifiable information, has continued to grow. 

Earlier this month, Four Seasons, Trump Hotels, Hard Rock Hotels & Casinos, and Loews Hotels all announced that they were affected by the SynXis breach, and this week another hotel company has befallen the same fate—and another hotel suffered a data breach via malware.

Two Roads Hospitality, which manages a number of brands, including Joie de VivreThompson and Destination, has notified customers that hackers have gained access to personal guest information via the SynXis system. None of the hotel properties' computer or network systems was said to be affected by this incident. Two Roads was notified on June 6, 2017, that the hacking took place between August 2016 and March 2017. The hackers got hold of credit and debit card information including name, card numbers, expiration date and three-digit security codes. They also accessed some emails, phone numbers and addresses, but no Social Security, driver's license, or passport numbers were compromised.

In this week's second incident, the payment card system at Galt House Hotel experienced a security breach that allowed unauthorized access to guests' data, as well. The largest hotel in Louisville, Ky., with more than 1,300 guestrooms, said in a news release that the breach affected payments made from Dec. 21, 2016, to April 11, 2017.

On June 26, a Galt House investigation determined that malware had been installed on its payment card processing system that copied some guests' payment card data, including the cardholders' names, payment card account numbers, card expiration dates and verification codes.

The hotel said that after it was alerted to the incident, it initiated an investigation of the payment card system that supports card acceptance. It also hired a computer forensics firm to assist and coordinated with law enforcement.

In the original Sabre incident, the $3.37 billion corporation acknowledged that its SynXis software-as-a-service platform was accessed by an unauthorized party, who gained access to payment information corresponding to a subset of hotel reservations. Sabre did not specify when or how the actual intrusion took place or how many records are potentially affected. Sabre does not believe any other system was affected.

Sabre contacted law enforcement, began notifying affected customers and hired the cybersecurity investigatory firm Mandiant to investigate. According to Sabre’s marketing literature, more than 32,000 properties use Sabre’s SynXis reservations system.

Sabre told customers that it didn’t have any additional details about the breach to share at that time, so it remains unclear what the exact cause of the breach may be or for how long it may have persisted.