Sabre’s SynXis data breach affects Hard Rock, Loews Hotels

Hard Rock Hotel Panama Megapolis is one of the hotels affected by the Sabre SynXis hotel reservations system.

Hard Rock Hotels & Casinos and Loews Hotels have warned customers that a security failure may have resulted in the theft of their information. Both incidents are linked to Sabre Hospitality Solutions’ credit card data breach in its SynXis hotel-reservations system. Sabre’s investigation found that it was contained to "a limited subset of hotel reservations," but an unauthorized party did have access to credit card numbers, expiration dates and cardholder names.

Sabre first announced the data breach in May. Since then, the company said it has been working with its customers and partners that use or interact with the system. The company said the hackers had managed to access personally identifiable data, payment card details and other information. An investigation revealed that the attackers gained access to the system after hijacking an internal account on the SynXis platform.

Hard Rock Hotels & Casinos issued a statement informing customers of the data breach last week. The hotel chain, which operates 176 cafes, 24 hotels and 11 casinos in 75 countries, said SynXis, the backbone infrastructure for reservations made through hotels and travel agencies, provided the avenue for data theft and the exposure of customer information.

Virtual Roundtable

Post COVID-19: The New Guest Experience

Join Hotel Management’s Elaine Simon for our latest roundtable—Post COVID-19: The New Guest Experience. The experts on the panel will share how to inspire guest confidence that hotels are safe and clean and how to win back guest business.

Hard Rock Hotel & Casino properties in Biloxi, Miss.; Cancun, Mexico; Chicago; Goa, India; Las Vegas; Palm Springs, Calif.; Panama City, Panama; Punta Cana, Dominican Republic; Rivera Maya, Mexico; San Diego; and Nuevo Vallarta, Mexico, are all affected.

Loews Hotels also appears to be a victim of the same security failure. According to NBC, Sabre was also at fault and cyberattackers were able to slurp credit card, security code and password information through the booking portal. In some cases, email addresses, phone numbers and street addresses were also allegedly exposed.

About 36,000 hotels use the SynXis reservations system.

According to Sabre, there was "no indication" that other systems outside of SynXis central reservations were affected. It did, however, find that the unauthorized party accessed the information over the course of seven months, from August 2016 to March 2017.

According to the consumer website Sabre has set up about the incident, the unauthorized party was able to access cardholder names, payment card numbers, card expiration dates, card security codes for some, and, in some cases, guest name, email, phone number and address.

"Not all reservations that were viewed included the payment card security code, as a large percentage of bookings were made without a security code being provided," Sabre's statement said. "Others were processed using virtual card numbers in lieu of consumer credit cards. Personal information such as Social Security, passport or driver's license number was not accessed."

Since the breach was discovered, Sabre said it has taken steps to end the unauthorized access and ensure it is no longer possible. Law enforcement and the credit-card companies were also notified. While no evidence was found that the unauthorized party removed information from the system, Sabre did say it is a possibility.

"Not all of our SHS customers had reservations that were accessed, and even for those that did have reservations that were viewed, it varied with regard to the percentage of reservations that were accessed," the statement said.

Sabre said it regrets the incident, and "our industry, like many, faces ever-increasing cybersecurity threats that require strong partnerships across the travel ecosystem. Sabre will continue to take strong measures to protect the interests of our customers and the traveling public."

Suggested Articles

The management company has retained its Deerfield, Ill., location as a regional office.

Two recent cases address the issue of hotel liability when personnel assist police who have an issue with a guest—here's the lesson for hotels.

Aqua-Aston Hospitality will roll out its new Next Level program of cleaning and service protocols at its 30+ managed hotels and resorts by Aug. 1.