Hard Rock Hotels & Casinos and Loews Hotels have warned customers that a security failure may have resulted in the theft of their information. Both incidents are linked to Sabre Hospitality Solutions’ credit card data breach in its SynXis hotel-reservations system. Sabre’s investigation found that it was contained to "a limited subset of hotel reservations," but an unauthorized party did have access to credit card numbers, expiration dates and cardholder names.
Sabre first announced the data breach in May. Since then, the company said it has been working with its customers and partners that use or interact with the system. The company said the hackers had managed to access personally identifiable data, payment card details and other information. An investigation revealed that the attackers gained access to the system after hijacking an internal account on the SynXis platform.
Hard Rock Hotels & Casinos issued a statement informing customers of the data breach last week. The hotel chain, which operates 176 cafes, 24 hotels and 11 casinos in 75 countries, said SynXis, the backbone infrastructure for reservations made through hotels and travel agencies, provided the avenue for data theft and the exposure of customer information.
Hard Rock Hotel & Casino properties in Biloxi, Miss.; Cancun, Mexico; Chicago; Goa, India; Las Vegas; Palm Springs, Calif.; Panama City, Panama; Punta Cana, Dominican Republic; Rivera Maya, Mexico; San Diego; and Nuevo Vallarta, Mexico, are all affected.
Loews Hotels also appears to be a victim of the same security failure. According to NBC, Sabre was also at fault and cyberattackers were able to slurp credit card, security code and password information through the booking portal. In some cases, email addresses, phone numbers and street addresses were also allegedly exposed.
About 36,000 hotels use the SynXis reservations system.
According to Sabre, there was "no indication" that other systems outside of SynXis central reservations were affected. It did, however, find that the unauthorized party accessed the information over the course of seven months, from August 2016 to March 2017.
According to the consumer website Sabre has set up about the incident, the unauthorized party was able to access cardholder names, payment card numbers, card expiration dates, card security codes for some, and, in some cases, guest name, email, phone number and address.
"Not all reservations that were viewed included the payment card security code, as a large percentage of bookings were made without a security code being provided," Sabre's statement said. "Others were processed using virtual card numbers in lieu of consumer credit cards. Personal information such as Social Security, passport or driver's license number was not accessed."
Since the breach was discovered, Sabre said it has taken steps to end the unauthorized access and ensure it is no longer possible. Law enforcement and the credit-card companies were also notified. While no evidence was found that the unauthorized party removed information from the system, Sabre did say it is a possibility.
"Not all of our SHS customers had reservations that were accessed, and even for those that did have reservations that were viewed, it varied with regard to the percentage of reservations that were accessed," the statement said.
Sabre said it regrets the incident, and "our industry, like many, faces ever-increasing cybersecurity threats that require strong partnerships across the travel ecosystem. Sabre will continue to take strong measures to protect the interests of our customers and the traveling public."